FDA Issues Guidance on Security of Medical Devices

The U.S. Food and Drug Administration (FDA) issued final guidance on Wednesday that are designed to strengthen the safety of medical devices. The FDA called on medical device manufacturers to consider cyber security risks as part of the design and development of devices.

Digital Revolution in Healthcare Infographic
The FDA issued guidance for manufacturers to address cyber security issues in the design of connected medical devices. (Infographic courtesy of Philips)

The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” asks device makers to submit documentation to the FDA about any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run.

The document, which will be released on Thursday, does not contain specific requirements. Rather, it describes the kinds of things that medical device manufacturers should consider when preparing pre-market submissions for medical devices in areas such as information confidentiality, integrity, and availability, the FDA said.

The release of the document follows the publication of a draft in June, 2013 and a period of public comment that concluded in September 2013. It marks the first time that the federal government has issued specific guidance for the medical device industry regarding cyber security. However, the guidance is just that and FDA said it is open to device makers pursuing other means to obtain the same objectives.

“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

Experts have been warning for years that medical devices – including some that are implantable in patients – are vulnerable to some of the same dangers as other kinds of information systems. Demonstrations at security conferences like Black Hat and DEFCON have featured remote attacks on medical devices including implantable insulin pumps. In recent months, security researchers have discovered that vulnerabilities found in some industrial systems are often shared by medical devices manufactured by the same firms.

The FDA has generally taken a collaborative approach to the problem of securing connected medical devices, however, hosting seminars and workshops that explore issues related to securing medical technology. In September, it said that an October workshop entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” would solicit input from stakeholders within the government and from the public health sector on medical device and healthcare cyber security.

You can read more via this link: The FDA takes steps to strengthen cybersecurity of medical devices.

Spread the word!

Comments are closed.