You are here

FDA Takes Steps to Strengthen Cybersecurity of Medical Devices

Agency issues guidance to manufacturers

To strengthen the safety of medical devices, the FDA has finalized recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information.

The final guidance recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.

As medical devices become more interconnected and interoperable, they can improve the care patients receive and create efficiencies in the health care system. However, according to the FDA, some medical devices, such as computer systems, can be vulnerable to security breaches, potentially affecting the safety and effectiveness of the device. By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices.

The FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.

The FDA has neither an indication that specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches, but remains concerned about device-related cybersecurity vulnerabilities and their potential to adversely impact public health.

The FDA has been working closely with other federal agencies and the medical device industry to identify and communicate with stakeholders about vulnerabilities. The agency is planning a public workshop this fall to discuss how government, medical device developers, hospitals, cybersecurity professionals, and other stakeholders can collaborate to improve the cybersecurity of medical devices and protect the public health.

Source: FDA; October 1, 2014.

Recent Headlines

U.S., Australia, and Canada Approve Endometrial Cancer Regimen
Single daily pill combines hypertension, cholesterol drugs
Drug With Androgen Deprivation Therapy Cut Risk of Death by 33% Compared With Placebo + ADT
A Diabetes Drug For People Without Diabetes
Roche Drug Outperformed Standard of Care in Phase 2 Study
Mesh Implants, Now Banned by FDA, Work as Well as Hysterectomy
One in Five Kids’ Office Visits Results in an Off-Label Rx
Related Settlement Would End Many but Not All Lawsuits
Chronic Kidney Patients With Hyperphosphatemia May Be Another Market for the Drug