FDA Issues Cybersecurity Guidance to Medical Device Manufacturers

Data transmissionThe U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.

Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of use, or the unauthorized use of this information. Medical devices that connect to other devices or to the Internet or which have USB or other data ports are especially vulnerable. The FDA notes that “[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”On October 1, 2014, the FDA advised manufacturers of medical devices to address cybersecurity during the initial design of the devices in order to reduce the risk of health information being compromised by inadequate cybersecurity later. It also advises manufacturers to consider cybersecurity in preparing premarket submissions for FDA-approval of those devices.

Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. The FDA believes that manufacturers are required to establish a cybersecurity vulnerability and management approach by federal regulation at 21 C.F.R. § 820.30(g). This regulation requires “design validation” by a manufacturer to ensure that devices “conform to defined user needs and intended uses” through “software validation and risk analysis, where appropriate.” The FDA recommends this approach should address the following elements:

• Identification of assets, threats, and vulnerabilities;
• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
• Assessment of the likelihood of a threat and of a vulnerability being exploited;
• Determination of risk levels and suitable mitigation strategies;
• Assessment of residual risk and risk acceptance criteria.

The recommendations contained in this guidance supplements FDA’s “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.