Final Cybersecurity Guidance on Medical Devices Issued by FDA

Final cybersecurity guidance on medical devices has been issued by the U.S. Food and Drug Administration (FDA). The 30-page document augments previous guidance published by the FDA in 2014 and is intended to help manufacturers of medical devices implement policies, procedures, and controls to secure postmarket devices.

Previous guidance has covered security controls and policies that should be implemented to ensure medical devices are secured before coming to market. The latest document covers the processes that should take place to ensure that medical devices are continuously checked to ensure vulnerabilities are addressed before they can be exploited by hackers.

In recent years, a number of medical devices have been shown to contain serious vulnerabilities that could be exploited by hackers to cause patients to come to harm. Security experts are concerned that the vulnerabilities in the devices could also be leveraged to gain access to healthcare networks.

Earlier this year, Muddy Waters issued a report condemning the lack of cybersecurity protections on certain St. Jude Medical devices. In the report, Muddy Waters claimed certain St. Jude Medical devices lacked even basic cybersecurity protections which left them wide open to attacks by hackers. Muddy Waters claimed that the vulnerabilities could be exploited by hackers to cause the devices to malfunction, which placed the users of the devices at severe risk of harm. St. Jude Medical has denied the allegations, although the report was just one of a number of revelations in 2016 about medical devices that allegedly contained unaddressed vulnerabilities.

The new FDA guidance contains important information to help manufacturers ensure that vulnerabilities in postmarket medical devices are rapidly identified and addressed. The guidance calls for device manufacturers to develop “a structured and comprehensive program to manage cybersecurity risks” in postmarket devices, which includes setting up communication channels to help researchers report vulnerabilities quickly.

The final cybersecurity guidance on medical devices does not just apply to pacemakers and drug pumps, but also to any firmware, software, programmable logic, mobile application, and legacy devices that are used as part of an interoperable system.

The first draft of the guidance was issued in January this year, but it has taken almost a year for the FDA to issue final cybersecurity guidance on medical devices. The FDA has been criticized for only issuing guidance rather than regulating medical devices more stringently. Since the passing of the 21st Century Cures Act, the FDA may choose to regulate medical devices more strongly, although whether that occurs remains to be seen.

At present, use of the guidance is optional, but strongly recommended. The FDA also strongly recommends device manufacturers implement the best practices, procedures, and processes recommended by the National Institute of Standards and Technology (NIST) in its cybersecurity framework.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of