Policy/Biz

FDA Sets Final Cybersecurity Recommendations For Medical Device Manufacturers

medicaldevice
The agency is now recommending manufacturers submit plans for security updates when asking for product approval. NEC Corporation of America, CC BY 2.0

The Food and Drug Administration will announce its final recommendations Thursday for ways in which medical device manufacturers can ramp up the precautions they take in measures of cybersecurity.

As more products rely on Internet access and connection to a specific network, the FDA is beginning to express growing concern these products may be vulnerable to cyber-threats. In its final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” the agency outlines steps companies can take before submitting products for approval that will help minimize the chance the devices can be hacked or compromised.

“There is no such thing as a threat-proof medical device,” said Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA, in a statement. The best the agency can do, Schwartz explains, is to help manufacturers protect themselves. Part of that means incorporating patches and updates to operating systems and medical software.

In this, the FDA places a large portion of its concern on devices such as tablets, smartphones, and other devices that have access to patient data. Unprotected, these records may fall into the wrong hands and reveal sensitive health information. Likewise, the FDA wants to protect hospitals from leaked passwords, untimely security updates, and unsecure off-the-shelf software designed to prevent unauthorized access to the network.

So far, there have been no reports of security breach or patient harm as a result of poor protection, the FDA claims. However, medical devices are increasingly reliant on communicating with other devices in order to function, which means by the time something happens it will already be too late.

“It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks,” Schwartz said.

The FDA also says it has been in close communication with other federal agencies in an effort to enhance security. This fall, the FDA will be holding a public workshop to discuss how government, hospitals, cybersecurity experts, medical device developers, and others can work together to protect the public health and its data.

Loading...