USA – Examining US FDA criteria for medical device cybersecurity and risk management

Advances in medicine in terms of how we diagnose, treat, or deploy therapy are rapidly changing each and every day. Even going to a doctor’s office for a routine urgent care visit is evolving to allow patients to access care through telemedicine from the comfort of their own homes. Methods for how patients are treated at a doctor’s office, emergency room, surgery center or other healthcare facility are continuously being innovated.

For instance: imaging equipment that allows a radiological technician to share images with a radiologist in real time to a smart device or personal computer; the ability to pull precise dosage information for an infusion pump directly from the Cloud; or the introduction of robotics into surgical environments. These are all examples of how technology has allowed clinicians to treat patients more efficiently and effectively with the hopes of achieving even better outcomes.

Innovation and cyber risk

This all sounds fantastic, right? What could possibly be the downside to all of this innovation? Many readers probably already see where this question is leading. The answer is, all of those great innovations have led to increased risk of cyber attack on medical device and health delivery organization (HDO) networks, while also ultimately potentially introducing new safety risks to patients. Cybersecurity risk is a challenge that needs to be addressed by medical device manufacturers, HDOs and regulatory stakeholders alike, and it is.

For the purpose of this post, we’ll examine the role that regulators, specifically the US FDA, are taking in terms of cybersecurity, and what effects that has on the product development submission processes for device manufacturers to bring connected or software-enabled products to market. Beginning in 2014 with the initial Premarket Guidance for Cybersecurity Management and then with the latest draft Premarket Guidance for Cybersecurity Management released in October 2018, FDA has outlined how they will be evaluating software-enabled or connected medical devices…