USA – Scratching the surface: Medical device companies’ evolving efforts to tackle cybersecurity

Anyone paying even the slightest attention to today’s media has likely seen numerous reports on cybersecurity risks associated with medical devices. Some reports are overblown, some present more measured concern, and others describe very specific risks such as from major cyber-related product recalls. But there is overall consensus among security experts, healthcare providers, and regulators that cybersecurity protection for medical devices needs to be taken very seriously.

Establishing regulatory expectations for cybersecurity

US FDA has published draft guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices, and final guidance for Postmarket Management of Cybersecurity in Medical Devices.

The FDA premarket guidance is expected to be finalized by the end of 2019. Emergo by UL has been hearing a consistent theme from our medical device manufacturer clients that FDA staff are now asking lots of questions about cybersecurity matters during the regulatory submission process. Much of FDA’s questioning comes from the expectations spelled out in its guidance documents. Regulatory bodies from other countries including Canada, Australia and South Korea have or will be following suit with guidance similar to US FDA’s, and we expect that these authorities will apply similar levels of cybersecurity scrutiny to their oversight…