Physician Practice

FDA takes steps to strengthen medical device security

Physician Practice Insider, February 9, 2016

On January 22 the Food and Drug Administration (FDA) took action to improve security standards for medical devices with the release of draft cybersecurity guidance. The draft guidance, Postmarket Management of Cybersecurity in Medical Devices, outlines actions medical device manufactures should take to address security vulnerabilities in their products, according to the FDA’s statement.

The FDA places particular emphasis on what it calls postmarket monitoring—releasing regular security patches and updates for devices after they’ve been purchased. Security controls are generally built into medical devices, but after the devices are purchased and connected to a healthcare organization’s network, they can become vulnerable to attacks on the network. Devices that operate using software and security controls that are not regularly updated are particularly at risk to threats like viruses, hacking, and other cyberattacks. These attacks could cause a medical device to malfunction, leading to serious health consequences for the patient. The draft guidance calls for medical device manufactures to continue to monitor a product’s security as long as the product is on the market and to proactively plan for and address vulnerabilities.

The draft guidance describes a structured and systematic program that manufacturers should adopt for identifying and quickly responding to cyber threats. This program will encourage manufacturers to:

  • Establish a process for identifying and communicating vulnerabilities
  • Adopt a coordinated vulnerability disclosure practice
  • Mitigate cybersecurity risks before they’re exploited
  • Adopt National Institute of Standards and Technology (NIST)’s voluntary Framework for Improving Critical Infrastructure Cybersecurity


The FDA also stressed the importance of participation in an Information Sharing Analysis Organization (ISAO). An ISAO allows members to share and collect information on cybersecurity threats and build and test effective protections and responses.

Certain cybersecurity protective actions will have to be reported to the FDA, according to the draft guidance. Routine cybersecurity updates and patches will not need to be reported to the FDA. However, if a cybersecurity threat might compromise a device’s essential clinical performance and cause serious harm or death, manufacturers would be required to notify the FDA. Exceptions to this reporting policy may be allowed under certain conditions. These conditions are:

  • The manufacturer notifies users and releases security updates to address the vulnerability within 30 days
  • No deaths or serious harm are associated with the vulnerability
  • The manufacturer participates in an ISAO and reports the vulnerability and response to the ISAO


The security of networked medical devices is under increased scrutiny. The Office of Inspector General (OIG) announced it would review the FDA’s oversight of medical device security in its FY 2016 Work Plan. The FDA believes this draft guidance will encourage manufacturers to be proactive and vigilant in their response to cybersecurity threats.

The draft guidance is open for public comment until April 21. Comments can be submitted electronically or by mail.

This article was originally published in HCPro’s new daily e-newsletter Revenue Cycle Daily Advisor.

Most Popular