FDA Issues Final Guidance For Medical Device Cybersecurity

Medical device manufacturers should be thinking more about cybersecurity when designing new products, according to federal regulators, and should also put out patches and updates to fill in any electronic security holes in existing devices. 

On October 1, the FDA posted a final guidance on the cybersecurity of medical devices in the Federal Register, providing non-binding industry guide to how it should be handling security concerns surrounding new technology used in medical treatment.

The agency is calling for manufacturers to consider cybersecurity risks as part of the initial design of medical devices and to promptly inform the FDA what such risks might be and how they intend to control or mitigate those risks.

Hair-Dye-Cancer-Lawsuits
Hair-Dye-Cancer-Lawsuits

“There is no such thing as a threat-proof medical device,” FDA’s Director of Emergency Preparedness/Operations and Medical Countermeasures, Dr. Suzanne Schwartz, said in a press release. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

The agency says it is concerned about malware infections on networked medical devices, smartphones and tablets that may give hackers access to patient information. Agency officials are also worried about cybersecurity breaches that could make such devices inoperable and thus adversely impact public health.

The FDA notes that it knows of no such incidents to date, but wants to get ahead of the problem before it becomes one.

A cybersecurity safety warning was first issued by the FDA in June 2013, calling for health care facilities and manufacturers to harden medical devices against attack.

The FDA recommends all medical facilities implement methods for retention and recovery of sensitive data in the event an incident should occur where security has been compromised.

Recently, cybersecurity became an issue involving the protection of insulin pumps. In a demonstration conducted in 2012 by McAffee, Inc., researcher Barnaby Jack revealed insulin pumps were more susceptible to hacking attempts than originally suspected.

According to the demonstration, hackers were able to remotely access the pumps from up to 300 feet away. After hacking the devices they are able to change the dosage and cause the pumps to deliver fatal doses of insulin. The security issues are known to also occur in a number of other medical devices that rely on wireless communication.

While it does not carry enforcement risks for non-compliance, the FDA guidance does put the industry on notice for how they should be operating, which can have legal ramifications when the guidance are not followed. In many cases, the existence of such a guidance makes it very difficult for a company to deny that it knew or should have known of a proper way to address a potential problem.


0 Comments


Share Your Comments

This field is hidden when viewing the form
I authorize the above comments be posted on this page
Post Comment
Weekly Digest Opt-In

Want your comments reviewed by a lawyer?

To have an attorney review your comments and contact you about a potential case, provide your contact information below. This will not be published.

NOTE: Providing information for review by an attorney does not form an attorney-client relationship.

This field is for validation purposes and should be left unchanged.

MORE TOP STORIES

A class action lawsuit has been filed against Galaxy Gas and several associated companies, alleging the product is marketed to teens using sweet flavors and deceptive safety claims, leading to widespread addiction and neurological injuries.
A federal judge has randomly selected a group of 500 Suboxone tooth decay lawsuits to go through case-specific discovery and further workup, which may eventually be eligible for early bellwether trials.