This document is designed to provide concrete recommendations to all responsible stakeholders on the general principles and best practices for medical device cybersecurity (including in vitro diagnostic (IVD) medical devices). It outlines recommendations for medical device manufacturers, healthcare providers, regulators, and users to: minimize cybersecurity risks that continuity of device safety and performance. For the purpose of this guidance, healthcare providers include healthcare delivery organizations.
This document is intended to:
Employ a risk-based approach to the design and development of medical devices with appropriate cybersecurity protections;
Ensure the safety, performance, and security of medical devices and the connected healthcare infrastructure;
Recognize that cybersecurity is a shared responsibility among all stakeholders, including but not limited to medical device manufacturers, healthcare providers, users, regulators, and vulnerability finders;
Provide recommendations to those stakeholders to aid in minimizing the risk of patient harm across the total product life cycle;
Define terms consistently and describe the current best practices for achieving medical device cybersecurity;
Promote broad information sharing policies for cybersecurity incidents, threats, and vulnerabilities to increase transparency and to strengthen response.