The Food and Drug Administration has finalized guidance on cybersecurity issues that medical device manufacturers should consider when submitting a device for FDA approval.

Such guidance could change or enhance the types of security functions that will be in devices purchased and installed in provider organizations.

“This guidance provides recommendations to consider and document in FDA medical device premarket submissions to provide effective cybersecurity management and to reduce the risk that device functionality is intentionally or unintentionally compromised,” according to a notice published on Oct. 1.

In the guidance, manufacturers are expected to develop controls to assure cybersecurity of their medical devices, yet FDA recognizes that device security is a shared responsibility between manufacturers, providers, and even patients.

Still, manufacturers are expected to identify assets threats and vulnerabilities, assess the impact of threats and vulnerabilities on functionality and the risk of a vulnerability being exploited, determine risk levels and mitigation strategies, and assess risk acceptance criteria.

Manufacturers, according to FDA, should balance security with usability of a device in its intended setting. “For example, security controls should not unreasonably hinder access to a device intended to be used during an emergency situation. The Agency recommends that medical device manufacturers provide justification in the premarket submission for the security functions chosen for their medical devices.”

Stephen Cobb, senior security reseacher at ESET, a cybersecurity software vendor, tells Heath Data Management that the guidance is long overdue but welcome.

“Any efforts to focus attention on the security and privacy aspects of medical devices should be embraced, especially in light of the rapidly expanding adoption of consumer health devices and apps, mobile health, wearable technology and telemedicine," he adds. "A good model would be for the FDA to set some security baselines and fail devices that do not meet them, however, it should be made clear that meeting those baselines does not guarantee security. A further level of review which engages independent security experts would help reassurance patients and the public. The latter, and their lawyers, together with market forces, will be the main driving forces leading to better security and privacy protection from manufacturers, hopefully sooner rather than later.”

The guidance, available here, gives multiple examples of security functions to consider to limit access to trusted users, ensure trusted content, and detect/respond/recover from security compromises, as well as the types of cybersecurity documentation that FDA expects to see.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access