FDA Issues Final Guidance For Medical Device Cybersecurity

Medical device manufacturers should be thinking more about cybersecurity when designing new products, according to federal regulators, and should also put out patches and updates to fill in any electronic security holes in existing devices. 

On October 1, the FDA posted a final guidance on the cybersecurity of medical devices in the Federal Register, providing non-binding industry guide to how it should be handling security concerns surrounding new technology used in medical treatment.

The agency is calling for manufacturers to consider cybersecurity risks as part of the initial design of medical devices and to promptly inform the FDA what such risks might be and how they intend to control or mitigate those risks.

“There is no such thing as a threat-proof medical device,” FDA’s Director of Emergency Preparedness/Operations and Medical Countermeasures, Dr. Suzanne Schwartz, said in a press release. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

The agency says it is concerned about malware infections on networked medical devices, smartphones and tablets that may give hackers access to patient information. Agency officials are also worried about cybersecurity breaches that could make such devices inoperable and thus adversely impact public health.

The FDA notes that it knows of no such incidents to date, but wants to get ahead of the problem before it becomes one.

A cybersecurity safety warning was first issued by the FDA in June 2013, calling for health care facilities and manufacturers to harden medical devices against attack.

The FDA recommends all medical facilities implement methods for retention and recovery of sensitive data in the event an incident should occur where security has been compromised.

Recently, cybersecurity became an issue involving the protection of insulin pumps. In a demonstration conducted in 2012 by McAffee, Inc., researcher Barnaby Jack revealed insulin pumps were more susceptible to hacking attempts than originally suspected.

According to the demonstration, hackers were able to remotely access the pumps from up to 300 feet away. After hacking the devices they are able to change the dosage and cause the pumps to deliver fatal doses of insulin. The security issues are known to also occur in a number of other medical devices that rely on wireless communication.

While it does not carry enforcement risks for non-compliance, the FDA guidance does put the industry on notice for how they should be operating, which can have legal ramifications when the guidance are not followed. In many cases, the existence of such a guidance makes it very difficult for a company to deny that it knew or should have known of a proper way to address a potential problem.