FDA Announces Plan to Advance Medical Device Safety and Cybersecurity | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FDA Announces Plan to Advance Medical Device Safety and Cybersecurity

April 18, 2018
by Heather Landi
| Reprints
Click To View Gallery

While medical devices play an increasing role in patient care and provide life-saving benefits to patients, these devices can be vulnerable to security breaches and therefore pose significant risks to healthcare cybersecurity. To address medical device safety, the Food and Drug Administration (FDA) has announced plans to advance new frameworks for identifying risks and protecting consumers, including proposals aimed at advancing medical device cybersecurity.

This week, the FDA released the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. This new Action Plan outlines the FDA’s vision for how the agency can continue to enhance programs and processes to assure the safety of medical devices. “Our aim is to make sure that the new advances in technology that are enabling better capabilities and benefits are also harnessed to bring added assurances of safety, so that more patients can benefit from new devices and address unmet needs,” FDA Commissioner Scott Gottlieb, M.D., said in a statement.

Specifically, the FDA’s medical device safety action plan focuses on five key areas:

Establish a robust medical device patient safety net in the U.S.;

Explore regulatory options to streamline and modernize timely implementation of post-market mitigations;

Spur innovation towards safer medical devices;

Advance medical device cybersecurity; and

Integrate the FDA’s Center for Devices and Radiological Health (CDRH) premarket and post-market offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety.

According to Gottlieb’s statement, the FDA already has taken several steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices. As part of this new action plan, FDA officials are seeking additional authorities and funding from Congress, which would build on the agency’s work to date and further minimize medical device cybersecurity vulnerabilities and exploits.

The agency is considering placing new responsibilities on manufacturers, both before and after their devices hit the market. Specifically, the FDA is considering potential new premarket authorities to require firms, on the front end, to build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s premarket submission. The FDA may also require firms to develop a “Software Bill of Materials” that must be provided to the FDA as part of a premarket submission and made available to medical device customers and users.

Additionally, FDA plans to update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack). The agency also is considering new post-market authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.

The FDA is also considering form a public-private partnership, a CyberMed Safety (Expert) Analysis Board, that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and the agency.

The Association of Executives in Healthcare Information Security (AEHIS) issued a statement in support of the FDA’s efforts to improve medical device cybersecurity and called the proposals “promising.”

Erik Decker, AEHIS chair and chief security and privacy officer at University of Chicago Medicine, said in the statement: “The challenges of protecting medical devices from cyberattacks is a hot topic within our association. We believe all parties understand this challenge is a shared responsibility; today’s FDA announcement is an important step toward furthering this goal.”

AEHIS has consistently advocated for policies that bring greater protections to the healthcare sector and transparency for providers who purchase these devices.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



KLAS Research: Small Hospitals’ Buying Decisions Impacting EMR Market Share

A new KLAS Research report tracks shifts in electronic medical record (EMR) vendor market share among acute care hospitals, and finds that smaller hospitals are seeking technology solutions that meet their needs and limited budgets, and these contracts are making a mark on the EMR market.

Survey: Majority of Providers Predict Success for New Generic Drug Company, Project Rx

Back in January, four health systems, in consultation with the VA, announced a collaboration to develop a new, not-for-profit generic drug company. A survey has found that 90 percent of providers say they would become customers of the new venture.

Personalized Medicine Awareness Low Among U.S. Adults, Survey Finds

Genetics and personalized medicine are not top of mind for the general public in the U.S., according to a recent survey from GenomeWeb and the Personalized Medicine Coalition.

Industry Organizations Praise Senate Passage of VA Mission Act

The U.S. Senate on Wednesday passed, by a vote of 92-5, a major Veterans Affairs (VA) reform bill that includes health IT-related provisions to improve health data exchange between VA healthcare providers and community care providers.

NIH Issues Funding Announcement for All of Us Genomic Research Program

The National Institutes of Health’s (NIH) “All of Us” Research Program has issued a funding announcement for genome centers to generate genotype and whole genome sequence data from participants’ biosamples.

MGMA: Physician Compensation Data Illustrates Nationwide PCP Shortage

Primary care physicians’ compensation rose by more than 10 percent over the past five years, representing an increase which is nearly double that of specialty physicians’ compensation over the same period, according to the Medical Group Management Association (MGMA).