Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Questions linger about FDA processes that seem to favor medical device companies
Matthew M. Lowe
Confronting the fear of being displaced by machines
Matthew M. Lowe
The velocity at which digital transformation is reshaping business models seems utterly chaotic in a compliance-based industry
Jon Speer
As a medical device manufacturer, you can expect to be inspected
Dirk Dusharme @ Quality Digest
Huge amounts of biometric, DNA, and diagnostic data enable personalized medicine. They also enable unscrupulous and discriminatory marketing.

More Features

FDA Compliance News
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live

More News

Ken Miller

FDA Compliance

FDA Proposes Cybersecurity Guidelines for Medical Devices

Stakeholders have 90 days to submit comments to the FDA

Published: Monday, February 22, 2016 - 17:42

I wrote last month about the need to increase security for imaging devices in hospitals. The devices I cited store both personal and medical information about patients and should be subject to standard security measures. Very often they are not.

Last month the U.S. Food and Drug Administration (FDA) issued proposed guidelines for post-market management of cybersecurity in medical devices. The guidelines provide best practices for assessing and managing cybersecurity vulnerabilities in medical devices and include situations involving both hacker access to patient records and hacker access to the devices themselves. Although a hacker’s ability to access our private information is alarming, it’s even more distressing to consider a hacker’s ability to increase or decrease IV drips, alter pacemaker functions, or change settings on an imaging device.

Networked medical devices come under the broader heading of the Internet of things (IoT), which includes anything that has an on/off switch and an Internet connection. Currently, that could be everything from cell phones, coffee makers, home security systems, and baby monitors to an airplane’s jet engine or the drill on an oil rig. Gartner, an analyst firm, predicts that there will be more than 21 billion connected devices by 2020.

Security is an ongoing concern with the IoT. Every additional connection opens up another possible point of entry into networks, for legitimate users and hackers. In the rush to market to offer new features to improve ease of use or innovations in care, sometimes security is an afterthought. The FDA guidelines encourage active and ongoing evaluation of cyber risks and efforts to manage those risks for products in the marketplace.

One notable omission in the guidelines, however, is any penalty for not ensuring the security of devices. Manufacturers are under no obligation to follow best practices or to change their manufacturing processes at this time. I expect competition in the marketplace will handle some reluctance to adopt the guidelines. Penalties may handle the remainder of the reservations.

Stakeholders have 90 days to submit comments to the FDA before the guidelines are finalized.


About The Author

Ken Miller’s picture

Ken Miller

Ken Miller serves as a senior manager in healthcare services at HORNE LLP, a CPA and business advisory firm. He concentrates on providing compliance consulting services in the areas of healthcare billing regulations, privacy regulations, and healthcare internal audit services.