A recent safety communication from the US Food and Drug Administration recommends appropriate and well-maintained security controls by medical device manufacturers and healthcare facilities as the use of computer systems, mobile technologies and networks becomes more widespread.

For medical device manufacturers in particular, the FDA recommends some rather standard-practice security measures:

• Limiting unauthorized access to medical devices via user authentication, password protections and card readers
• Protecting components of devices from security risks using routine security patches, and restricting software and firmware updates
• Incorporating “fail-safe modes” into medical device design approaches to maintain functionality in the event of a security breach or compromise

The FDA notice includes a clause stating that medical device software changes made only for cybersecurity reasons do not require regulatory review or approval.

Whether or not US regulators expand the scope of premarket approval (PMA) registration reviews to include applicants’ security processes is another question: The FDA has already published draft guidance on how to address cybersecurity in pre-market submissions, as well as on cybersecurity issues related to devices using off-the-shelf software.

Developers of mobile medical applications and storage system manufacturers whose devices fall under the Class I category in the US may be particularly affected if the FDA steps up scrutiny of cybersecurity measures, as their products currently do not go through the 510(k) review process.

Stewart Eisenhart