Cybersecurity in Medical Devices Part 1: Networked Medical Devices & Cybersecurity Vulnerabilities

On January 15, 2016, FDA published a draft guidance providing medical device manufacturers with a number of recommendations to protect patients from cybersecurity vulnerabilities in their devices.

The draft guidance, entitled “Postmarket Management of Cybersecurity in Medical Devices,” encourages manufacturers to “address cybersecurity throughout the product life cycle, including during the design, development, production, distribution, deployment and maintenance of the device.” Additionally, the Agency states that the recommendations contained within the document are applicable to:

1. Medical devices that contain software (including firmware) or programmable logic
2. Software that is a medical device

In addition to the Agency’s recommendations for medical device manufacturers, the draft guidance contains a rather sizable list of definitions, which includes terms such as Compensating Controls and Controlled Risk.

Networked Medical Devices & Cybersecurity Vulnerabilities

In the recent past we have seen an increase in the number of medical devices containing computer hardware or software, or connecting to computer networks. These devices, which are designed to be networked to facilitate patient care, are susceptible to the same types of cyber vulnerabilities as other networked computer systems. The exploitation of these vulnerabilities could pose a huge risk to the safety and effectiveness of medical devices. Regular maintenance is required throughout the product life cycle to assure that an adequate level of protection is in place. This consistent maintenance is key to reducing the risk to patient safety and overall public health.

In the recent draft guidance, the FDA “emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.” In addition, the Agency recommends that companies take a number of preventative measures, such as monitoring, identifying, and addressing risks; coordinating efforts by companies, government, and other groups to disclose vulnerabilities; and taking actions to address cybersecurity risks as early and proactively as possible.

The draft guidance states that a large number of cybersecurity vulnerabilities are considered routine and can be easily resolved. These vulnerabilities do not need to be reported to the FDA. However, vulnerabilities that might compromise the clinical performance of the device, thus risking the health of the patient, are required to be reported the Agency.

Do you have a medical device that may be susceptible to cybersecurity vulnerabilities? We can help with all of your drug and medical device needs. For more information on our services and how we can help you achieve a positive outcome with FDA, contact us today.

*Part two is available now... More information on FDA's recommendations regarding cybersecurity in medical devices in our follow-up FDA News article entitled, "Cybersecurity in Medical Devices Part 2: General Principles."