FDA publishes cybersecurity advice for medical devices

Thanks to significant technological advances in patient care over the past decade, many medical devices are now being designed to connect to a hospital or long-term care facility’s network, or even a patient’s home internet service. Many experts tout improved patient outcomes from this additional data, but at the same time, all these new networked medical devices, like other networked computer systems, also pose an increased risk of cybersecurity breaches that could affect a device’s performance.

In an effort to help medical device manufacturers and healthcare facilities mitigate and manage cybersecurity threats, the FDA in December issued final guidance for the postmarket management of cybersecurity vulnerabilities in medical devices. It joins an earlier final guidance on medical device premarket cybersecurity issued in October 2014.

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan,” said Suzanne Schwartz, M.D., MBA, FDA’s associate director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health, in a blog post.

The guidance document outlines steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices, Schwartz said. These include:

• Practicing good cyber hygiene, which includes ongoing assessment of risks and opportunities to reduce cybersecurity threats;

• Developing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities;

• Validating software to reduce potential vulnerabilities, without creating new vulnerabilities;

• Deploying mitigations, such as software patches, to address cybersecurity issues early.