Skip to content Skip to navigation

FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers

January 19, 2016
by Heather Landi
| Reprints

The Food and Drug Administration has issued draft guidelines for device manufacturers to manage postmarket cybersecurity vulnerabilities for medical devices.

As a growing number of medical devices are designed to be networked to facilitate patient care, these devices incorporate software that may be vulnerable to cybersecurity threats.

In the guidelines, FDA encourages device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

“This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices,” the report states.

The agency recommends that device manufacturers employ a proactive and risk-based approach to the postmarket phase by engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance and using a risk-based approach to characterizing vulnerabilities followed by timely implementation of necessary actions to further mitigate emerging cybersecurity risks.

As part of a cybersecurity risk management program, FDA encourages s the use and adoption of the National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity.

“Critical to the adoption of a proactive, rather than reactive, postmarket cybersecurity approach, is the sharing of cyber risk information and intelligence within the medical device community,” the FDA draft guidelines state.

As part of the cybersecurity risk management process, device manufacturers should “establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls,” the draft guidelines state.

And, the FDA recommends that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited.

While many device manufacturers use “worst case scenarios” to assess the exploitability of a cybersecurity vulnerability, the FDA draft guidelines recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency o the response, such as the Common Vulnerability Scoring System.

The FDA draft guidelines also recommend that medical device companies should have a structured and systematic approach to risk management and quality management systems that include methods to identify, characterize and assess a cybersecurity vulnerability and methods to analyze, detect and assess threat sources. For example, a cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed, or a vulnerability could exist vertically, such as within the components of a device, which can be introduced at any point in the supply chain for a medical device manufacturing process.

Comments on the draft guidance will be open for 90 days after publication in the federal register. 





CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.