The Food and Drug Administration has issued final guidance asking medical-device manufacturers to address cybersecurity threats before and after their products are approved for sale. Cybersecurity is critical as medical devices increasingly connect with each other, the agency said.
The FDA said manufacturers should identify what information or other assets hackers might target and how they might get to it. The companies are asked to consider the tradeoffs between greater security and usability and determine the risk level associated with a particular threat. The agency recommends strategies that include limiting access through electronic authentication (such as passwords or biometric scans) and physical locks to prevent tampering, as well as different levels of access based on a user's role. For example, a technician might have more limited access to a program than a system administrator.
The agency recommends that manufacturers submit documentation to the FDA during the pre-approval process explaining how they are addressing cybersecurity issues with the product and how they will continue to address them after the product is on the market.