The U.S. Food and Drug Administration on Thursday released draft guidance on cybersecurity considerations for medical device manufacturers submitting premarket review materials, a step toward updating guidance issued seven years ago.

The proposal, which replaces an earlier draft the FDA released in 2018, would increase expectations related to software development and transparency of medical devices that contain software. The FDA is seeking public feedback on the proposal.

Once finalized, the new guidance will replace the premarket guidance on medical device cybersecurity that was last updated in 2014.

“In light of the rapidly evolving device cybersecurity landscape, the FDA is issuing this draft guidance…to further emphasize the importance of ensuring that devices are designed to be secure, designed to mitigate cybersecurity risks that arise throughout the product lifecycle, and to clearly outline FDA’s commitment to marketing prior submissions to address cybersecurity concerns, including device labeling,” the FDA said in the Federal Register notice.

The FDA’s premarket guidance sets expectations for how device manufacturers should design and label products when submitting information to FDA for premarket review to ensure that they meet FDA standards and that they should provide documentation about their design and development efforts.

The last time the FDA issued postmarket guidance governing medical device cybersecurity was in 2016.

The latest draft guidance recommends that device manufacturers adopt a “secure product framework” — a set of software development practices that prioritize security — to identify and reduce vulnerabilities throughout the product development lifecycle. This includes assessing risk when new cybersecurity threats are discovered after product release.

The guidance will also make recommendations on what cybersecurity documentation device manufacturers should submit when applying for an investigational device exemption in a clinical trial.

It also recommends creating a “software bill of materials” for each medical device to build on. 2018 ex-recommendation For the “Cybersecurity Materials List”. The Software Bill of Materials will document all software components in the device, including proprietary software developed by the manufacturer as well as third-party commercial and open source software.

Since the FDA issued its 2016 post-market guidance, the federal government has issued 110 recommendations regarding medical device vulnerabilities disclosed by medical device manufacturers. compiled data Published last month by cybersecurity firm MedCrypt.

These vulnerabilities can be dangerous for hospitals and patients, as medical devices connected to the Internet or internal hospital networks could be hacked, compromised during a ransomware attack, or provide cybercriminals with access to the wider hospital network and window to steal data, According to cybersecurity experts. Network attacks May disrupt healthcare By delaying the procedure or forcing patient shunting.

FDA’s new proposal on premarket submissions highlights 2017 WannaCry Ransomware Attack Infected computers and equipment around the world – including some radiological equipment – as an example of a cyberattack affecting hospitals and medical equipment.

“Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting patient care services at U.S. and global healthcare facilities,” draft guidance Express. “Such cyberattacks and exploits may result in patient harm due to clinical harm, such as delayed diagnosis and/or treatment.”

FDA is accept feedback The draft guidance will run until July 7, after which the agency said it will begin work on the final version.