Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FDA Publishes Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information. 

The U.S. Food and Drug Administration (FDA) released a set of recommendations for manufacturers for managing cyber-security risks and protecting patient health and information. 

The guidance is titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’ and recommends that manufacturers consider cybersecurity risks as part of the design and development of medical devices and submit documentation to the FDA about those risks and the controls in place to mitigate them. The guidance also recommends manufacturers submit their plans for providing updates to operating systems and software.

“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a statement. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

The FDA said it has been working closely with other federal agencies as well as the medical device industry to identify and discuss vulnerabilities. This fall, the agency is planning a public workshop to discuss how government, medical device developers, hospitals, cybersecurity professionals and others can collaborate to improve the security of medical devices and protect the public.

“FDA recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices,” according to the document. “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”

In particular, medical devices that are capable of connecting to another device or the Internet are more vulnerable to security threats, the guidance notes. In its recommendations, the FDA stresses the importance of authentication controls and detection.

“The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device – related health information,” according to the document. “This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in the design and development of their medical devices as well as in preparing premarket submissions for those devices.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.