The Food and Drug administration this week finalized new cyber-security guidance for medical device manufacturers. The guidance, “Content of Premarket Submissions for Management of Cyber-Security in Medical Devices,” recommends that manufacturers consider cyber-security risks as part of the design and development of a medical device, and submit documentation to the FDA about controls in place to mitigate those risks. The FDA also asks manufacturers submit their plans for providing patches and updates to operating systems and medical software.

“By carefully considering possible cyber-security risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices,” an FDA statement says.

The FDA’s concerns about cyber-security vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network. The agency is planning a public workshop this fall to discuss how government, medical device developers, hospitals, and cyber-security experts can collaborate.