Medical device manufacturers have been aware of the importance of Cybersecurity for several years and the FDA has been publishing guidance on it since 2005.
The responsibility for cybersecurity is shared among the various stakeholders one of whom is the medical device manufacturer. Device manufacturers have recognized both the business and regulatory imperatives to address this through the design and development process.
The FDA has indicated through the cybersecurity guidance documents and a publication that it feels the responsibility for the manufactures to address cybersecurity is implied in the Quality System Regulations (QSRs). Specifically, the need for manufacturers to assess cybersecurity risk and develop product requirements to address any vulnerability as part of software validation and risk analysis.
Several of the FDA guidance documents recommend that device manufacturers develop a set of controls to both assess and maintain functionality and safety in the presence of cybersecurity threats. This assessment is recommended to start during the development and encompasses the definition of “design inputs” related to cybersecurity.
Like other risk management perspectives, business, and product, addressing cybersecurity needs to be considered throughout the development process.
To understand how a company should consider approaching these regulatory requirements it is helpful to start by understanding the potential motivations and nature of the attacks seen to date. Although we should anticipate that new attack methods will be developed, minimally we need to address known methods.