Eliminating Misconceptions of Cybersecurity

What the FDA Actually Says About Medical Device Cybersecurity

Eliminating Misconceptions of Cybersecurity

What the FDA Actually Says About Medical Device Cybersecurity

Medical devices, like other computer systems, can be vulnerable to security breaches- potentially impacting the safety and effectiveness of the device. As medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices, this vulnerability becomes more prevalent. With cybersecurity breaches becoming more and more publicized, the concern around medical device cybersecurity has become more mainstream than ever.

“In the past, government regulators were not very vocal about their concerns around data security in devices. That has changed significantly over the last 18 months.” Mike Kijewski, CEO of MedCrypt explained to Q1 Productions. “Device vendors need to have a well-articulated and executed security strategy to ensure that products in their development pipelines will make it to market without regulatory problems.”

All medical devices carry a certain amount of risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. So what exactly does that mean? The FDA post-market final guidance was released in December, and since then they have published resources to dispel myths about cybersecurity. Here are five common myths and misconceptions the FDA wants you to know about.

Myth: The FDA is the only federal government agency responsible for the cybersecurity of medical devices

What the FDA says: “The FDA works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, health care delivery organizations, security researchers, and end users to increase the security of the U.S. critical cyber infrastructure.”

Myth: Cybersecurity for medical devices is optional

What the FDA says: “Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. The pre- and post- market cybersecurity guidances provide recommendations for meeting QSRs.”

Myth: Health care Delivery Organizations (HDOs) can’t update and patch medical devices for cybersecurity

What the FDA says: “The FDA recognizes that HDOs are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.”

Myth: The FDA is responsible for the validation of software changes made to address cybersecurity vulnerabilities

What the FDA says: “The medical device manufacturer is responsible for the validation of all software design changes, including computer software changes to address cybersecurity vulnerabilities.”

Myth: The FDA tests medical devices for cybersecurity

What the FDA says: “The FDA does not conduct premarket testing for medical products. Testing is the responsibility of the medical product manufacturer.”

Myth: Companies that manufacture off-the-shelf (OTS) software used in medical devices are responsible for validating its secure use in medical devices

What the FDA says: “The medical device manufacturer chooses to use OTS software, thus bearing responsibility for the security as well as the safe and effective performance of the medical device.”

To discuss other cybersecurity concerns, Q1 Productions is hosting the 2nd Annual Medical Device Cybersecurity Risk Mitigation Conference on July 17-18 in Arlington, Virginia. There will be regulator perspectives (FDA), security organizations (ISAO, NH-ISAC), and industry leaders coming together to provide insights on the evolving space of medical device cybersecurity. It will be a very interactive conference with solo presentations, co-presentations, fireside chats, panels, and open discussions.

Back To Blog

View Our Events

Join Our Mailing List



Medical Device Quality Improvement: Implementing Postmarket Cybersecurity Programs Aligned with New FDA Guidelines

DOWNLOAD TODAY

2nd Annual Medical Device Cybersecurity Risk Mitigation Conference

July 17-18
Arlington | VA

FIND OUT MORE

VantagePoint Performance trains Salespeople to be more fluent and comfortable across different situations needing different sales approaches, and we train Sales Managers to be better coaches and team leaders, with more focus and less stress.

We’re different from the average sales training company because:

We don’t believe that one approach, one system, or one methodology is absolutely superior. All have something to offer, and the “best approach” or “best system” depends on the sales situation. This is what our applied, academic research tells us.
Our use of data science, specifically Machine Learning, helps us learn about our clients more meaningfully. We provide insights from each client’s data to help them understand what drives the success of their top-performing Salespeople and Sales Managers.
We are constantly feeding what we learn back into our training products, and we invest a bigger slice of our total energy into this innovation than the average sales training company. Our clients can access always-refreshed intellectual property and content through our training subscriptions.

Visit Sponsor Website