HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity.

Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed.

The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits.

The FDA has been working closely with healthcare providers, patients, and device manufacturers to understand and address any risks associated with the devices. Part of the FDA’s efforts in this area involve the development of new frameworks for identifying risks and protecting consumers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

To further protect patients and help reduce risks to a minimal level, the FDA has developed a five-point action plan (PDF). Under the plan the FDA will continue to encourage the development of new devices to address unmet health needs, while also enhancing security controls to ensure patient data remains private and confidential.

Improving Medical Device Cybersecurity

The FDA will be reorganizing its medical device center and will consolidate its premarket and postmarket offices. By leveraging the expert knowledge of staff in both offices and adopting a more integrated approach the FDA will be able to optimize decision-making. The FDA is also adopting a ‘Total Product Life Cycle’ (TPLC) approach to ensure device safety for the entire lifespan of the products.

While risks can be evaluated before the devices come to market, oftentimes those risks are not fully understood until the devices have been released and are being used by a wide range of patients and providers in different settings.

Naturally, when risks are identified in postmarket devices there needs to be a mechanism in place that allows the devices to be updated. The FDA will be exploring various regulatory options to ensure timely mitigations can be implemented, including the ability for all devices to receive updates and security patches to address newly discovered vulnerabilities.

While the FDA can ensure medical device labelling is improved to make providers aware of the safety and effectiveness of the devices, the FDA is considering additional training for providers and further education of users of the devices. The FDA also plans to develop scientific tool kits that can be used by manufacturers to ensure their premarket devices meet safety standards.

To encourage manufacturers to incorporate advanced medical device cybersecurity controls, the FDA is looking into ways it can streamline and speed up the reviewing of devices that meet and exceed safety standards.

The FDA is already promoting “a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience” to ensure devices remain safe throughout their entire life cycle. The FDA is also seeking additional funding and authority to develop a public-private CyberMed Safety Analysis Board to assist with medical device cybersecurity issues, vulnerability coordination, and response mechanisms.

Members of the board would include biomedical engineers, clinicians, and cybersecurity experts who would advise both the FDA and device manufacturers on cybersecurity issues and provide assistance with adjudicating disputes.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.