FDA Recommendations for Cybersecurity in Life Sciences

[fa icon="calendar"] Tue, Feb 07, 2017 / by Alexa Sussman

“Cybersecurity threats are real, ever-present, and continuously changing.”pharma_tools4.jpg

That’s how Suzanne B. Schwartz of the FDA describes production and postmarket for medical devices. And it’s true, cybersecurity threats pose ever-present challenges to the Life Sciences industry, putting people’s health, safety and security at risk.

With that in mind, the FDA released official guidance for postmarket cybersecurity management. This is extremely important because many devices are connected to hospital systems or personal internet systems which contain a lot of sensitive information.

The FDA recommends a full lifecycle approach to security, which begins in the design phase:

  • Have a system for monitoring and detecting cybersecurity vulnerabilities.
  • Use risk management to identify and understand the level of risk a vulnerability can potentially pose.
  • Include external cybersecurity stakeholders to research and consult on potential vulnerabilities. This is formally known as a “coordinated vulnerability disclosure policy.”
  • Mitigate cybersecurity risks proactively before they are exploited.

Prioritizing cybersecurity measures in the earliest phases of product design will benefit you through all stages of production and postmarket release.

Case in Point: St. Jude Medical

One company doing an excellent job of managing postmarket cybersecurity is St. Jude Medical, Inc. They recently announced their latest set of cybersecurity measures for the Merlin remote monitoring system that’s used with implantable pacemaker and defibrillator devices.

Within the past 3 years, they have released seven software updates with more scheduled for this year. All of these updates aimed to tighten security measures.

Yes, this is a lot of work, but when the integrity of a medical device is at stake, it is a priority.

The amount of work that St. Jude Medical put into their postmarket cybersecurity is nothing compared to the time and resources it would take to recover from a cybersecurity breach.  

Driving the Point Home

The FDA recommendations are a good starting point for using your Quality Management System to improve your own security measures. Some features to take advantage of:

  • Risk Management Tools for identifying which vulnerabilities could be the most dangerous.
  • Document Control and Employee Training to keep everyone informed of possible threats and trained on the set procedure for identifying and handling them.
  • Reporting Tools to identify trends and measure security improvement.

Given the FDA recommendations and the tools you already have in your QMS, you can take proactive steps to reduce the chances of a cybersecurity breach and maintain the integrity of your medical devices.

Learn how to establish a risk management plan for compliance

Topics: Life Sciences

Alexa Sussman

Written by Alexa Sussman

Post a Comment

Subscribe to the Blog

EHS Risk Management Guidebook: A Practical How-To Guide