FDA Issues Final Guidance On Medical Device Cybersecurity

Federal health officials have issued new voluntary cyber security guidance for medical device manufacturers to follow when developing new technology that could be vulnerable to hacking or security breaches, which could place patient’s safety in jeopardy. 

The FDA released the final guidance on post-market management of medical device cyber security on December 28, detailing recommended, structured and comprehensive programs that may prevent medical devices from being subject to cyber security hacks.

There is a growing concern that remotely-controlled medical devices implanted in humans could be hacked, which could disrupt the performance of the device and put patients at risk.

The potential for these cyber security risks have become widely known, as the FDA reports hospital cyber security hack attempts have been consistently reported over the last several years. The FDA has recognized the potential security risks that may be present when linking patients’ implanted devices to hospital networks, or even to patients home internet service, which is why in October 2014, the FDA first proposed a draft guidance.

The draft guidance encouraged hospitals and medical device manufacturers to monitor cyber security information sources for identification and detection of hacking risks, increase cyber security detections and assessment methods, better understand the impact certain vulnerabilities pose to patients, adopt a coordinated vulnerability disclosure policy, and initiate mitigation practices that address cyber security risks before they are exploited.

Nearly two years later, the FDA is encouraging medical device manufacturers to strongly consider following the finalized recommendations. The agency is requesting manufacturers monitor and detect potential cyber security vulnerabilities in their devices, research to understand and asses the level of risk and vulnerabilities to patients, and establish a process of cyber security information sharing among manufacturers to prevent hacking risks.

The agency is calling for manufacturers to design medical device software with the capability of being upgraded, so that it can combat newly found vulnerabilities for the duration of the device’s life span. A product that cannot be upgraded could put patients at risk and become obsolete quickly. This approach allows manufacturers to ensure the safety and effectiveness of the medical devices at all stages and encourages continuous quality improvement, the FDA indicates.

Within the guidelines the FDA is also asking manufacturers to apply to the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cyber security to identify, protect, detect, respond and recover effectively.

Although the guidance is voluntary, FDA officials say they remain hopeful that manufacturers will recognize the severity of the potential risks their devices will patients in if not followed, and that medical professionals and hospitals will choose devices with cyber security safeguards over products that remain without them.