FDA head plans update to medical device cyber security program

Food and Drug Administration Commissioner Scott Gottlieb said in a statement Monday that his agency plans to issue a “significant” update to guidance on the agency’s medical device cyber security program in the coming weeks.

Dr. Gottlieb said in his statement that the current premarket guidance was finalized in 2014, and the new guidance will reflect “the FDA’s most current understandings of, and recommendations regarding, this evolving space."

He said, for instance, the new draft guidance will highlight the utility of providing customers and users with a “cybersecurity bill of materials,” a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.

The statement said also the FDA has issued two “memoranda of understanding” with multiple stakeholder groups to create “information-sharing analysis organizations,” whose forums will permit manufacturers to share information about potential vulnerabilities and emerging threats.

The memo says the FDA “isn’t aware of any reports of unauthorized user exploiting a cybersecurity device that is in use by a patient. But the risk of such an attack persists.”