Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Kelley Jacobsen
Amid rising prices, medical device supply chains need greater scrutiny and standardization
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples

More Features

FDA Compliance News
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity

More News

Michael Causey

FDA Compliance

FDA Answers (Some) Medical Device Cybersecurity Concerns

For premarket approval, it’s mostly common sense—with a few caveats

Published: Tuesday, November 10, 2015 - 12:58

A new FDA guidance calls on the medical device community to be more proactive when it comes to developing a solid set of cybersecurity controls to ensure safety and efficacy for users.

However, the agency isn’t putting the entire onus on medical device manufacturers. The FDA “recognizes that medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers,” and device makers. Those are comforting words, but we all know the buck ultimately stops with manufacturers. The key is to be prepared for any eventuality.

For the most part, the FDA’s recommendations fall under the “basic common sense” category. However, it is still valuable to understand FDA inspectors’ general marching orders if they come calling at your facility.

Here are some of the more important items on the FDA’s list of expectations:
• Manufacturers should consider the balance between cybersecurity safeguards and the usability of the device in its intended environment, e.g., the home. Security controls shouldn’t unreasonably hinder access to a device to be used during an emergency situation.
• Tighten password policies to include, as needed, user authentication and session timeouts, and strengthen password protection.
• Ensure capability of secure data transfer to and from the device, and when appropriate, use methods of encryption.
• Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised.

The agency has also outlined the type of documentation it hopes to see in a premarket submission of a medical device, including:
• Hazard analysis that demonstrates a clear understanding of potential threats, and a list and justification for all cybersecurity controls.
• Traceability matrix that links actual cybersecurity controls implemented and risks considered.
• Summary describing the controls that are in place to ensure that the medical device software will maintain its integrity.
• Summary describing the plan for providing validated software updates and patches as needed through the life cycle of a medical device.

The guidance also includes a list of FDA-recognized consensus standards, which can can be found here.

First published Nov. 2, 2015, on the AssurX blog.


About The Author

Michael Causey’s picture

Michael Causey

James Michael Causey’s been a journalist since he started his own neighborhood newspaper in the 1970s. In addition to quizzing FDA officials for the past 10+ years, he’s also interviewed political satirist Art Buchwald, FCC Chairman Reed Hundt, SEC Chairwoman Mary Schapiro, and is the past president of the Washington Independent Writers. Causey is the editor and publisher of eDataIntegrityReport.com and is a contributing writer on the AssurXblog.