FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers

January 19, 2016
by Heather Landi
| Reprints

The Food and Drug Administration has issued draft guidelines for device manufacturers to manage postmarket cybersecurity vulnerabilities for medical devices.

As a growing number of medical devices are designed to be networked to facilitate patient care, these devices incorporate software that may be vulnerable to cybersecurity threats.

In the guidelines, FDA encourages device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

“This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices,” the report states.

The agency recommends that device manufacturers employ a proactive and risk-based approach to the postmarket phase by engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance and using a risk-based approach to characterizing vulnerabilities followed by timely implementation of necessary actions to further mitigate emerging cybersecurity risks.

As part of a cybersecurity risk management program, FDA encourages s the use and adoption of the National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity.

“Critical to the adoption of a proactive, rather than reactive, postmarket cybersecurity approach, is the sharing of cyber risk information and intelligence within the medical device community,” the FDA draft guidelines state.

As part of the cybersecurity risk management process, device manufacturers should “establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls,” the draft guidelines state.

And, the FDA recommends that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited.

While many device manufacturers use “worst case scenarios” to assess the exploitability of a cybersecurity vulnerability, the FDA draft guidelines recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency o the response, such as the Common Vulnerability Scoring System.

The FDA draft guidelines also recommend that medical device companies should have a structured and systematic approach to risk management and quality management systems that include methods to identify, characterize and assess a cybersecurity vulnerability and methods to analyze, detect and assess threat sources. For example, a cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed, or a vulnerability could exist vertically, such as within the components of a device, which can be introduced at any point in the supply chain for a medical device manufacturing process.

Comments on the draft guidance will be open for 90 days after publication in the federal register. 





83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.