Anyone paying even the slightest attention to today’s media has likely seen numerous reports on cybersecurity risks associated with medical devices. Some reports are overblown, some present more measured concern, and others describe very specific risks such as from major cyber-related product recalls. But there is overall consensus among security experts, healthcare providers, and regulators that cybersecurity protection for medical devices needs to be taken very seriously.

Establishing regulatory expectations for cybersecurity

US FDA has published draft guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices, and final guidance for Postmarket Management of Cybersecurity in Medical Devices.

The FDA premarket guidance is expected to be finalized by the end of 2019. Emergo by UL has been hearing a consistent theme from our medical device manufacturer clients that FDA staff are now asking lots of questions about cybersecurity matters during the regulatory submission process. Much of FDA’s questioning comes from the expectations spelled out in its guidance documents. Regulatory bodies from other countries including Canada, Australia and South Korea have or will be following suit with guidance similar to US FDA’s, and we expect that these authorities will apply similar levels of cybersecurity scrutiny to their oversight.

Healthcare delivery organizations have also been raising the bar. They often ask medical device companies to complete extensive surveys with security questions that can sometimes take months to complete, and include, for example, requests for results from detailed cybersecurity testing.

Getting serious about cybersecurity

Emergo by UL has also been hearing from many of its manufacturing clients that they are just beginning to seriously work on or “scratch the surface” of their cybersecurity-related efforts. These discussions are with clients who are typically seeking guidance on how to build appropriate safeguards into their technology and related processes; meeting expectations from regulatory authorities; and most importantly on how to protect patients who are connected to or using their products.

Some key questions Emergo by UL cybersecurity consultants are more frequently discussing with client in this area include:

• How are manufacturers assessing cybersecurity risk for their products?
• How are companies building cybersecurity into their design and quality management systems in consideration of their products’ full lifecycles?
• How are manufacturers validating cyber-related device performance?

A manufacturer’s responses to these questions can help identify any significant cybersecurity gaps in their processes, as well as which steps to take to build out cyber capabilities.

James Keller is Business Development Director at Emergo by UL.

Learn more about medical device cybersecurity compliance at Emergo by UL:

• US FDA cybersecurity guidance consulting
• Cybersecurity risk management and procurement support
• Webinar: Mapping cybersecurity standards to FDA guidance