FDA Issues Cyber Security Guidance on Medical Devices

By Steven Ross Johnson | January 21, 2016

The U.S. Food and Drug Administration appears to have heeded the call of providers, regulators and consumers increasingly concerned about the cyber security of medical devices such as pumps and pacemakers. The products, which are often connected to the Internet and hospital networks, can be hacked, affecting their safety and effectiveness and revealing the data they carry.

The guidance recommends manufacturers of medical devices monitor, identify and respond to cyber security vulnerabilities as part of routine post-market surveillance of their products. They would be required to report some of that information back to the FDA.

Last July, the FDA issued a warning to providers about Hospira’s Symbiq Infusion System and advised them to stop using the product because of cyber security vulnerabilities.

“Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cyber security threats,” said Dr. Suzanne Schwartz, acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health.

Manufacturers should develop programs to assess the risks of a cyber security threat to their products, according to the agency’s recommendations. Some vendors have said the FDA prevents them from making small modifications or patches to software or applications for fear that it would impact use of the product that had previously been approved by the federal agency. The FDA’s recent guidance said that routine updates or patches would not require device makers to notify the agency. Only where a vulnerability could lead to serious adverse health outcomes or death would manufacturers be required to notify the FDA, which has the sole authority to approve medical devices.

Device makers would also not be required to report problems if the manufacturers notify product users and address the problem within 30 days of learning about the vulnerability, or if the manufacturer shares information with other companies to prevent cyber threats.
The guidance will be discussed at an FDA workshop on cyber security Wednesday and Thursday.

A spokesman from leading device maker Medtronic stated in an e-mail that the company was still reviewing the agency’s guidance, which is open for public comment for 90 days. The company stated it would continue to work closely with regulators on this issue, and that it supported “the agency’s engagement in the cyber security of medical devices.”

The latest proposed guidance for post-market monitoring follows guidance the FDA issued in 2014 for manufacturers to address cybersecurity concerns as they are developing their products.