FDA’s Requirements from Medical Device Manufacturers for Post-market Management of Cybersecurity
December 28th, 2016
On December 28, 2016, the Food and Drug Administration (FDA) of the United State of America published guidelines that put forth requirements for Medical Device manufacturers, to manage within the devices they have previously sold, so as to protect from cybersecurity threats. Medical device manufacturers are required to implement comprehensive cybersecurity risk management programs and documentation consistent with the Quality System Regulation (21 CFR part 820) including for software validation and risk analysis (21 CFR 820.30(g)) and servicing (21 CFR 820.200), including vulnerability handling processes that need to comply with ISO/IEC 30111:2013.
Medical Device Manufacturers also need to identify cybersecurity vulnerabilities, and assess the threat source, which can be done using a myriad of software and hardware tools consistent with the NIST Framework for Improving Critical infrastructure Cybersecurity (i.e. Identify, Protect, Detect, Respond, and Recover), that meet the specifics of the Manufacturer’s devices. The FDA also requires that the Medical Device manufacturer remediate cybersecurity vulnerabilities to reduce the risk of patient harm to an acceptable level. What this means for Medical Device Manufactures, many of whom are ISSQUARED’s customers, is that they need to have IT Managed Services in place with systems and processes that can be inspected by the FDA. Our customers, who are leveraging our IT Managed Services, have been very successful in meeting the requirements of the FDA, and we have been instrumental in guiding them to meet these requirements.