Privacy & Information Security Law Blog

On June 13, 2013, the Food and Drug Administration (“FDA”) published a safety communication and guidance regarding the vulnerability of medical devices to cyberattacks. The safety communication, Cybersecurity for Medical Devices and Hospital Networks, is intended for “[m]edical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers.” The safety communication notes that because medical devices can be connected to other devices and the Internet, such devices are exposed to cyber attacks that might result from malware infections, the exploitation of weak password protections, a lack of updated security patches and security vulnerabilities in software installed on medical devices.

The FDA advised medical device manufacturers to improve the security of the devices by:

• Limiting device access to only authorized users;
• Strengthening password protections for the devices;
• Sending regular security patches to the devices; and
• Developing data recovery and incident response plans in the event of a compromise of medical device security.

The FDA also advised hospitals and other health care facilities to take certain actions, such as:

• Restricting access to networked medical devices;
• Updating antivirus software and firewalls;
• Monitoring network activity;
• Disabling any unnecessary ports and services; and
• Developing strategies to ensure that the critical functionality of medical devices are maintained.

The FDA’s guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, advises device manufacturers to incorporate cybersecurity when designing the devices so as to produce “more robust and efficient mitigation of cybersecurity risks.” In addition, the guidance highlights five key items that medical device manufacturers are recommended to provide in their premarket submissions to the FDA:

1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with a specific device;
2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks;
3. A systematic plan for providing validated updates and patches to operating systems or medical device software;
4. Documentation that the device will be provided to purchasers and users free of malware; and
5. Instructions for anti-virus software and the use of firewalls.

Following a 90-day comment period, the FDA will then finalize the guidance. The guidance will represent the FDA’s views on cybersecurity, but will not create any legal obligations on the part of medical device manufacturers.