medical devices

By Christopher Hanson

On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.”  In a separate post, we reported on the January 22, 2016 draft version of this guidance document.  The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and remediate cybersecurity vulnerabilities.  The guidance also outlines circumstances in which the Agency intends to exercise enforcement discretion with respect to the requirements of 21 C.F.R. Part 806 to report actions related to cybersecurity vulnerabilities as device corrections and removals.

We highlight below key ways the final guidance document differs from the earlier draft version:
Continue Reading CDRH Releases Postmarket Cybersecurity Final Guidance

By Christopher Hanson

On January 22, 2016, CDRH announced in the Federal Register the publication of the draft guidance,“Postmarket Management of Cybersecurity in Medical Devices.”  The release of the draft guidance coincided with the conclusion of a two-day public workshop hosted by FDA entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.”  We previously discussed the Agency’s announcement of the workshop in a separate post.

This is the second significant cybersecurity guidance document CDRH has released, having finalized its “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance in October 2014.  Having now issued both premarket and postmarket guidance documents, the Agency recognizes that an “effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.”
Continue Reading After Two-Day Workshop, CDRH Releases Postmarket Cybersecurity Draft Guidance

Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices.
Continue Reading Cybersecurity Risks with Connected Devices

By Phil Bradley-Schmieg

The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.

The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.

It also asks high-level questions about the technology being used, such as whether the devices can connect to the Internet, and about the use of medical apps, mobile phones, tablets and dictaphones.Continue Reading UK Data Protection Regulator Surveys Use of Smart Medical Devices

On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.  The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.”  The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President. 

The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.Continue Reading FDA Releases Final Guidance on Cybersecurity in Medical Devices, Public Workshop to Follow on October 21-22, 2014

The US Information Security and Privacy Board (ISPAB) voiced concerns over potential harms resulting from a lack of controlled management of cybersecurity in wireless medical devices in response to FDA’s  draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.”  ISPAB operates under the National Institute of Standards and Technology (NIST) in its Computer Security Division, and its goals include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy.Continue Reading US Information Security and Privacy Board Expresses Concerns about Management of Cybersecurity in Wireless Medical Devices