The FDA’s guidance also recommends that cybersecurity risk management programs include components such as:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
- Adopting a coordinated vulnerability disclosure policy and practice;
- Assessing the exploitability of cybersecurity vulnerabilities in medical devices and the severity of patient harm if the vulnerability were to be exploited.
The guidance establishes a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA. The FDA indicates that the guidance is non-binding but represents the current thinking of the FDA on this topic.
Click here to read the FDA’s guidance on Postmarket Management of Cybersecurity in Medical Devices.