FDA proposes cybersecurity guidance for medical devices

(Reuters) - The U.S. Food and Drug Administration on Friday issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in their devices. "Cybersecurity threats to medical devices are a growing concern," the agency said in a statement. "The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices." The draft guidance, which is not legally binding, recommends companies take a number of actions, including monitoring and assessing risk, coordinating efforts by companies, government and other groups do disclose vulnerabilities, and taking measures to address cybersecurity risk early. Most cybersecurity vulnerabilities are considered routine and can be remedied by updates or patches which would not need to be reported under the proposed guidance, the agency said. Companies would be required to report vulnerabilities that could compromise clinical performance of the device and risk a patient's health. The guidance covers how companies should monitor devices once they have been cleared for marketing. The agency previously issued guidance for companies still in the development stage to help inform design choices. Joshua Corman, founder of I Am The Cavalry, a cybersafety advocacy group who worked with the FDA on the guidance, said he was extremely encouraged by the agency's action. "I have found the FDA has been very forward thinking to get out in front of this and not wait for proof of harm before acting," he said. The proposed guidance will be open for public comment for 90 days, after which the FDA will issue final guidance. The agency is holding a public cybersecurity workshop at its headquarter in Silver Spring, Maryland on Jan. 20-21. The workshop will focus on "unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity." (Reporting by Toni Clarke in Washington; editing by Paul Simao and David Gregorio)