News Feature | October 10, 2014

FDA Reveals Final Device Cybersecurity Guidelines

Katie Wike

By Katie Wike, contributing writer

FDA Device Cybersecurity Guidelines

On October 2, the FDA released the final guidelines for the management of medical device cybersecurity.

The FDA’s final guidelines for the management of medical device cybersecurity was recently released on October 2, 2014. The report provides guidance for medical device manufacturers to improve their devices’ security. Specifically, says iHealth Beat, the guidance is intended to protect patient data from hackers attempting to access it through malware and other security breaches.

“The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information,” writes the FDA.

“This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”

Clinical Innovation explains that these new guidelines recommend that certain types of information are disclosed in a submission, including:

  • justification of the security functions chosen for their medical devices
  • list of cybersecurity risks considered in the medical device’s design
  • matrix that traces those risks considered to the appropriate controls
  • systematic plan for providing patches and updates to operating systems or medical device software

The agency also recommends that manufacturers keep in mind the following when developing apps:

  • assess device risks and vulnerabilities
  • determine criteria for risk acceptance
  • evaluate how risks could affect device functionality
  • measure the risk levels and create strategies to mitigate risk

“There is no such thing as a threat-proof medical device,” Suzanne Schwartz, MD, MBA, director of emergency preparedness/operations and medical countermeasures at The FDA’s Center for Devices and Radiological Health (CDRH), said in a statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”