Health IT Pulse

Jan 20 2016   4:58PM GMT

FDA gets tougher on IoT medical device cybersecurity

Shaun Sutner Shaun Sutner Profile: Shaun Sutner

Internet of Things
medical devices

Manufacturers and users of connected medical devices should take steps to ensure the cybersecurity of such devices, the FDA said in a new guidance document.

The draft guidance on is significant because it contains the FDA’s first directives on security issues of Internet of Things (IoT) medical devices for after they are released to the market rather than in the design, manufacturing and FDA approval phases.

In 2014, the FDA provided guidance for pre-market cybersecurity technology and management in medical devices. Last year, the agency issued a safety communication on the security vulnerabilities of two infusion pumps made by Hospira, Inc., which is now owned by Pfizer Inc.

“Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices,” the FDA said in a Jan. 15 release. “While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.”

In the release, Suzanne Schwartz, M.D., associate director for science and strategic partnerships in the FDA’s Center for Devices and Radiological Health, said that all medical devices that use software and are connected to healthcare providers’ data networks have security weaknesses.

“Some we can proactively protect against, while others require vigilant monitoring and timely remediation,” Schwartz said.

The guidance also says device manufacturers should participate in an Information Sharing Analysis Organization to exchange information about medical device cybersecurity.

In addition, the FDA guidance says vendors should adopt structured and thorough cybersecurity risk management programs, which should include, among other things:

The FDA is soliciting public comment on the draft guidance. The comment period will be open for 90 days.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: