The U.S. Food and Drug Administration appears to have heeded the call of providers, regulators and consumers increasingly concerned about the cybersecurity of medical devices such as pumps and pacemakers. The products, which are often connected to the Internet and hospital networks, can be hacked, affecting their safety and effectiveness and revealing the data they carry.
The guidance recommends manufacturers of medical devices monitor, identify and respond to cybersecurity vulnerabilities as part of routine post-market surveillance of their products. They would be required to report some of that information back to the FDA.
Last July, the FDA issued a warning to providers about Hospira's Symbiq Infusion System and advised them to stop using the product because of cybersecurity vulnerabilities.
"Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cybersecurity threats,” said Dr. Suzanne Schwartz, acting director of emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health.
Manufacturers should develop programs to assess the risks of a cybersecurity threat to their products, according to the agency's recommendations. Some vendors have said the FDA prevents them from making small modifications or patches to software or applications for fear that it would impact use of the product that had previously been approved by the federal agency. The FDA's recent guidance said that routine updates or patches would not require device makers to notify the agency. Only where a vulnerability could lead to serious adverse health outcomes or death would manufacturers be required to notify the FDA, which has the sole authority to approve medical devices.
Devicemakers would also not be required to report problems if the manufacturers notify product users and address the problem within 30 days of learning about the vulnerability, or if the manufacturer shares information with other companies to prevent cyber threats.
The guidance will be discussed at an FDA workshop on cybersecurity Wednesday and Thursday.
A spokesman from leading devicemaker Medtronic stated in an e-mail that the company was still reviewing the agency's guidance, which is open for public comment for 90 days. The company stated it would continue to work closely with regulators on this issue, and that it supported “the agency's engagement in the cybersecurity of medical devices.”
The latest proposed guidance for post-market monitoring follows guidance the FDA issued in 2014 for manufacturers to address cybersecurity concerns as they are developing their products.