January 18, 2016
The Food and Drug Administration (FDA) issued a new set of draft guidelines in hopes that medical device manufacturers address cybersecurity risks before they design products and during the maintenance.
The 25-page document recommends manufacturers adopt a cybersecurity risk management program that meets a set of prescribed requirements.
As one of those requirements the agency is encouraging manufacturers to apply benchmarks illustrated in “Framework for Improving Critical Infrastructure Cybersecurity,” a 2014 report published by the National Institute of Standards and Technology, or NIST. That report , which came as a result of Executive Order 13636, advocates a “framework core” set of functions to follow when it comes to managing cybersecurity risk: Identify, protect, detect, respond, and recover.
The FDA is also stressing that manufacturers should make sure they can understand, assess, and detect a vulnerability’s presence and impact, and streamline the communication process around it.
The program should also adopt a vulnerability disclosure policy and practice, and deploy mitigations that address risk early and prior to exploitation, according to the guidance document.