FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FDA Releases Cybersecurity Guidelines for Medical Device Manufacturers

January 19, 2016
by Heather Landi
| Reprints

The Food and Drug Administration has issued draft guidelines for device manufacturers to manage postmarket cybersecurity vulnerabilities for medical devices.

As a growing number of medical devices are designed to be networked to facilitate patient care, these devices incorporate software that may be vulnerable to cybersecurity threats.

In the guidelines, FDA encourages device manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.

“This guidance clarifies FDA’s postmarket recommendations and emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices,” the report states.

The agency recommends that device manufacturers employ a proactive and risk-based approach to the postmarket phase by engaging in cybersecurity information sharing and monitoring, promoting “good cyber hygiene” through routine device cyber maintenance and using a risk-based approach to characterizing vulnerabilities followed by timely implementation of necessary actions to further mitigate emerging cybersecurity risks.

As part of a cybersecurity risk management program, FDA encourages s the use and adoption of the National Institute of Standards and Technology (NIST) voluntary Framework for Improving Critical Infrastructure Cybersecurity.

“Critical to the adoption of a proactive, rather than reactive, postmarket cybersecurity approach, is the sharing of cyber risk information and intelligence within the medical device community,” the FDA draft guidelines state.

As part of the cybersecurity risk management process, device manufacturers should “establish, document and maintain throughout the medical device lifecycle an ongoing process for identifying hazards associated with the cybersecurity of a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the controls,” the draft guidelines state.

And, the FDA recommends that such a process focus on assessing the risk to the device’s essential clinical performance by considering the exploitability of the cybersecurity vulnerability and the severity of the health impact to patients if the vulnerability were to be exploited.

While many device manufacturers use “worst case scenarios” to assess the exploitability of a cybersecurity vulnerability, the FDA draft guidelines recommends manufacturers consider using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency o the response, such as the Common Vulnerability Scoring System.

The FDA draft guidelines also recommend that medical device companies should have a structured and systematic approach to risk management and quality management systems that include methods to identify, characterize and assess a cybersecurity vulnerability and methods to analyze, detect and assess threat sources. For example, a cybersecurity vulnerability might impact all of the medical devices in a manufacturer’s portfolio based on how their products are developed, or a vulnerability could exist vertically, such as within the components of a device, which can be introduced at any point in the supply chain for a medical device manufacturing process.

Comments on the draft guidance will be open for 90 days after publication in the federal register. 



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.