The US Food and Drug Administration (FDA) has published guidance informing of the FDA’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance emphasizes that manufacturers of medical devices should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management. It urges manufacturers to implement comprehensive cybersecurity risk management programs and documentation focused on identifying, evaluating and mitigating cybersecurity risks in medical devices which may result in patient harm. Such programs should include complaint handling, quality audits, corrective and preventive action, software validation and risk analysis, and product servicing, all of which should comply with applicable federal regulations.

• Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
• Monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
• Adopting a coordinated vulnerability disclosure policy and practice;
• Assessing the exploitability of cybersecurity vulnerabilities in medical devices and the severity of patient harm if the vulnerability were to be exploited.