FDA Wants Your Input on Cybersecurity for Servicing of Medical Devices

On June 17, 2021, FDA has released a discussion paper to discuss cybersecurity issues related to the servicing of medical devices. We have previously posted blogs about FDA’s increasing interest on cybersecurity both in the premarket (see our past blog posts here, here, and here) and the postmarket space (see our past blog posts here and here). FDA is now expanding its cybersecurity effort in servicing of medical devices.

Medical device cybersecurity is a shared stakeholder responsibility over the total product lifecycle to prevent compromised functionality, loss of medical or personal data, inadequate data integrity, or the spreading of security threats to other connected devices or networks.  In this discussion paper, FDA emphasizes cybersecurity challenges related to a non-OEM (original equipment manufacturer) entity’s activities in the following four areas.

First, how can non-OEMs address cybersecurity challenges related to the entity’s need for privileged access to diagnose, maintain, and repair the functions of the device (i.e., privileged access issue)?

Second, how can servicing entities collect and share the postmarket data regarding identification of cybersecurity vulnerabilities and incidents (i.e., Identification of Cybersecurity Vulnerabilities and Incidents)?

Third, what would be effective methods or pathways for interested stakeholders to prevent and mitigate cybersecurity vulnerabilities (i.e., Prevention and Mitigation of Cybersecurity Vulnerabilities)?

Fourth, when OEMs stop supporting the device while healthcare establishments continue to use unpatched but still clinically useful devices despite vulnerability to cyber-attack, what would be an effective mitigation to address unpatched medical device cybersecurity over the total product lifecycle (i.e., Product Life Cycle Challenges and Opportunities)?

FDA invites stakeholders to specifically address the following three questions.

1. What are the cybersecurity challenges and opportunities associated with the servicing of medical devices?
2. Are the four areas identified in this discussion paper (privileged access, identification of cybersecurity vulnerabilities and incidents, prevention and mitigation of cybersecurity vulnerabilities, and product lifecycle challenges and opportunities) the correct cybersecurity priority issues to address in the servicing of medical devices? If not, which areas should be the focus?
3. How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?

Interested parties have until September 22, 2021 to comment on these three questions as well as the issues raised in this discussion paper.  You can browse comments already submitted or submit your own at this link.