FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers

January 19, 2016
by Heather Landi
| Reprints

The Food and Drug Administration has issued draft guidelines for device manufacturers to manage postmarket cybersecurity vulnerabilities for medical devices.

As a growing number of medical devices are designed to be networked to facilitate patient care, these devices incorporate software that may be vulnerable to cybersecurity threats.

In the guidelines, FDA encourages device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

“This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices,” the report states.

The agency recommends that device manufacturers employ a proactive and risk-based approach to the postmarket phase by engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance and using a risk-based approach to characterizing vulnerabilities followed by timely implementation of necessary actions to further mitigate emerging cybersecurity risks.

As part of a cybersecurity risk management program, FDA encourages s the use and adoption of the National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity.

“Critical to the adoption of a proactive, rather than reactive, postmarket cybersecurity approach, is the sharing of cyber risk information and intelligence within the medical device community,” the FDA draft guidelines state.

As part of the cybersecurity risk management process, device manufacturers should “establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls,” the draft guidelines state.

And, the FDA recommends that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited.

While many device manufacturers use “worst case scenarios” to assess the exploitability of a cybersecurity vulnerability, the FDA draft guidelines recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency o the response, such as the Common Vulnerability Scoring System.

The FDA draft guidelines also recommend that medical device companies should have a structured and systematic approach to risk management and quality management systems that include methods to identify, characterize and assess a cybersecurity vulnerability and methods to analyze, detect and assess threat sources. For example, a cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed, or a vulnerability could exist vertically, such as within the components of a device, which can be introduced at any point in the supply chain for a medical device manufacturing process.

Comments on the draft guidance will be open for 90 days after publication in the federal register. 



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.