FDA Issues Reminder on Networked Medical Devices Cybersecurity

By Daniel R. Matlis

The issue of networked medical devices has come from and center with two recent Life-Science Panorama articles focused on the topic.

Hospitals & Medical Device Manufacturers Address Interoperability with New Standard”  by Oliver P. Christ, CEO Healthcare of PROSYSTEM AG discussed the emergence of standards and regulations around communications involving medical devices.

Is Medical Device Interoperability Sufficient”  by Rick Schrenker, Systems Engineering Manager in the Massachusetts General Hospital Department of Biomedical Engineering, provides his perspective on interoperability standardization efforts and their impact on ensuring medical device safety and dependability.

Today, FDA issued a reminder to Medical device manufacturers, hospitals, medical device user facilities, healthcare IT and procurement staff, medical device users, biomedical engineers entitled: “Cybersecurity for Networked Medical Devices is a Shared Responsibility” 

Through this vehicle, the FDA reminds the Medical Device community that cybersecurity for medical devices and their associated communication networks is a shared responsibility between medical device manufacturers and medical device user facilities. The proper maintenance of cybersecurity for medical devices and hospital networks is vitally important to public health because it ensures the integrity of the computer networks that support medical devices.

According to the article, FDA is aware of misinterpretation of the regulations for the cybersecurity of medical devices that are connected to computer networks. FDA’s interpretation of the regulations can be found in the 2005 guidance for industry and its accompanying information for healthcare organizations.
FDA wants to emphasize the following:

  • Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
  • The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
  •  All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.

Software patches and updates are essential to the continued safe and effective performance of medical devices. Typically, FDA approval is not required before installing changes, updates, or patches that address cybersecurity issues. Software patches usually do not involve FDA review because most patches are installed to reduce the risk of a cybersecurity problem and not to address a risk to health posed by the device.

The need to be alert and responsive to cybersecurity issues is part of the device manufacturer’s obligation. FDA recommends that purchasers and users of medical devices that may have a cybersecurity problem contact the device manufacturer with their concerns.

In the Reminder, FDA encourages the Medical Device ecosystem to take simple steps to help to protect against cybersecurity threats like viruses and worms that affect medical devices.

Bookmark and Share