What should my cybersecurity management plan entail?
"The future of cybersecurity is not in building higher walls but in building smarter systems that can adapt and learn from each new challenge".
-Dan Schulman, CEO of Paypal
FDA risk mitigation overview
This is not intended to be an exhaustive list. We recommend that you consult FDA resources to plan and implement better risk mitigation strategies.
According to the FDA, you must have a strategy for identifying, monitoring, and addressing cybersecurity vulnerabilities and potential exploits, a plan for addressing vulnerability disclosures and for establishing incident response protocols, as well as a plan for post-market updates and patches on a routine basis.
Strict cybersecurity breach notifications coming soon!
The FDA will soon require that you report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the incident. For ransomware payment cyber attacks, you will have 24 hours to report this to CISA. These requirements will likely go into effect late in 2024 or 2025.
They also require that you report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the incident. For ransomware payment cyber attacks, you have 24 hours to report this to CISA.
"The pace of technological change requires us to rethink our strategies for security, and embrace a proactive, not reactive, mindset."
-Bruce Schnier
FDA 2014 premarket cybersecurity guidelines
The FDA 2014 Premarket Cybersecurity Guidance recommended that manufacturers provide the following:
Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
A specific list of all cybersecurity risks that were considered in the design of your device;
A specific list and justification for all cybersecurity controls that were established for your device.
A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered.
It also recommends managing the device postmarket and providing the plans as part of the premarket submission in Section 6, Items 3 and 4.
Plan for continuing support: How your company will monitor and maintain cybersecurity
Plan for malware-free shipping: How your company will ensure malware isn’t introduced in the manufacturing process or while devices are being updated in the field.
Managing postmarket cybersecurity in medical devices
Section X of the Postmarket Management of Cybersecurity in Medical Devices guidance also makes recommendations about the elements of an effective postmarket cybersecurity program.
MITRE also provides a Medical Device Cybersecurity Regional Incident Preparedness and Response playbook and the Playbook for Threat Modeling Medical Devices.
Device labeling
You should also address labeling as part of your cybersecurity program, including device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., antivirus software, use of firewall). This should be consistent with your risk controls, including any configuration on the computer or platform (e.g., popup blocker recommendation). It should also include instructions to ensure the safe and effective use of the device, including interfaces and functionality, security controls that the user interacts with (e.g., password, software updates, etc.), your Manufacturer Disclosures Statement for Medical Device Security (if you provide it to customers), also called MDS2., your SBOM (if you provide it to customers), and logging capabilities and forensic log capture.
Create your cybersecurity strategy
This list isn't exhaustive, but should help you get started on created your cybersecurity strategy.
Understand the regulatory requirements for medical devices
Choose encryption tools
Determine encryption algorithms
Key management
Auditing data
Speed of the encryption
Consider hardware resource constraints
What does a medical device encompass?
"The definition of a medical device encompasses not only capital equipment, but also surgical instruments, patient monitoring, and even software. The breadth and variety of the field, combined with the critical importance of med devices to life and safey, requires a deliberate, focused approach to cybersecurity to ensure that they are resilient throughout their lifecycle."
-Nancy Brainerd (CISSP/CIPP), Senior Director of Product Security
Common risks to be aware of
Last updated
Was this helpful?