FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers.

The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure.

The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm.

Earlier this year, short-selling firm Muddy Waters issued a report on a number of security vulnerabilities that had allegedly been identified in certain St. Jude Medical devices. The FDA is currently investigating those claims, although St. Jude Medical has denied that those vulnerabilities exist. Johnson & Johnson also discovered a flaw in its insulin pump which could potentially be exploited by hackers.

Final FDA Cybersecurity Guidance for Medical Device Manufacturers

The new 30-page guidance document encourages manufacturers of medical devices to implement a system for monitoring their devices and associated software for potential security vulnerabilities that could be used by hackers to take control of the devices, obtain sensitive data, or used to launch attacks on healthcare networks.

The guidance has been a year in the making and follows the release of cybersecurity guidelines for device manufacturers in October 2014. The previous document makes recommendations for incorporating better cybersecurity protections into medical devices before they come to market.

The latest guidance is concerned with the continued protection of medical devices after they have come to market. The document suggests steps that should be taken by manufacturers of the devices to make it easier for vulnerabilities to be identified and reported by security researchers. The FDA suggests device manufacturers should develop channels of communications to allow vulnerabilities to be reported back to them by white hat hackers.

The FDA also recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share cybersecurity threat information, including how they have responded to threats and made their devices more secure.

Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, helped develop the guidelines. She explained in a recent blog post that

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan.” She also explained that device manufacturers need to develop “a structured and comprehensive program to manage cybersecurity risks.”

The cybersecurity guidance for medical device manufacturers can be used to develop and implement policies and procedures to better protect medical devices once they have come to market. Schwartz also strongly recommends device manufacturers to apply the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

The new guidance – Postmarket Management of Cybersecurity in Medical Devices –can be downloaded on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.