The New FDA Cybersecurity Guidance You Need to Know

Nancy Crotti

October 2, 2014

2 Min Read
The New FDA Cybersecurity Guidance You Need to Know

Forewarned is forearmed, as the old saying goes.

The U.S. Food and Drug Administration wants medtech device makers to forearm themselves and their end users against cyber attacks. In a guidance statement issued this week, the agency said that although there has been no apparent security breach affecting medical devices, it recommends that medtech manufacturers "consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks."

Manufacturers can further reduce the vulnerability in their medical devices by having a plan to manage system or software updates, the agency said.

The FDA is worried about:

  • Malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data;

  • Unsecured or uncontrolled distribution of passwords;

  • Failure to provide timely security software updates and patches among medical devices and networks;

  • And security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.

Other concerns include medical device malfunction; disruption of healthcare services, including treatment interventions; inappropriate access to patient information; or compromised electronic health record data integrity, the agency said inannouncinga public workshop on Oct. 21 and 22, 2014.   

The FDA has been working with other federal agencies and the medical device industry to identify and communicate with stakeholders about vulnerabilities. The agency is planning a public workshop this fall to discuss how government, medical device developers, hospitals, cybersecurity professionals, and other stakeholders can collaborate to improve the cybersecurity of medical devices and protect the public health. It is accepting comments on the guidance at

The industry has not been waiting for FDA to issue the call to arms. Qmed reported in January that a search engine called Shodan is adept at discovering hard-coded passwords, permitting hackers to gain control of a medical device.

Types of medical devices with known vulnerabilities (based on Shodan searches and a June 13, 2013, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report include:

  • Glucose meters;

  • Surgical and anesthesia devices;

  • Fetal heart monitors;

  • Ventilators;

  • Drug infusion pumps;

  • External defibrillators;

  • Patient monitors;

  • And laboratory and analysis equipment.

According to an April 2014 Reuters article cited by Qmed, the FBI agrees that hacking of medical devices and hospital equipment is a very real risk. The article cites a private notice from the agency that alleges that "[th]e healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

Related Article

If Your Medical Device Was Hacked, Just Try to Prove It

Nancy Crotti is a contributor to Qmed and MPMN.

Like what you're reading? Subscribe to our daily e-newsletter.

About the Author(s)

Nancy Crotti

Nancy Crotti is a frequent contributor to MD+DI. Reach her at [email protected].

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like