Medical device security

Myth

Applying security updates and patches to FDA-regulated systems involves making onerous changes requiring FDA approval and paperwork; hence, incorporating such updates and patches into business processes is difficult and cumbersome.

Fact

The FDA views security for medical devices and their associated communication networks as a shared responsibility between medical device manufacturers and medical device user facilities. The proper maintenance of security for medical devices and hospital networks is vitally important to public health because it ensures the integrity of the computer networks that support medical devices. While updates or patches may still require internal validation and approvals, the FDA itself does not need to grant such approval.

Further clarifying guidance from the FDA

The FDA has further clarified its interpretation of the appropriate regulations in the following documents:

• Information for health care organizations about FDA's "Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software"
• FDA Issues Medical Device Security Guide
• The Internet of Things: FDA Releases Guidance on Securing Wireless Medical Devices - What Medical Device Manufacturers Should Know
• FDA will regulate some apps as medical devices

In summary, the FDA emphasizes:

• Medical device manufacturers and user facilities should work together to ensure security threats are addressed in a timely manner.
• The agency typically does not need to review or approve medical device software changes made for security reasons.
• System maintainers should validate all software changes that address security threats before installation to ensure they do not affect the safety and effectiveness of the medical devices.
• System maintainers should ensure any system is free of viruses and malware before connecting a medical device.
• System maintainers should properly install, configure, and maintain anti-virus software and firewalls.
• System maintainers should keep operating system and medical device software up to date. Software updates offer the latest protection against harmful activities.
• System maintainers should validate all changes, updates, and patches, including operating systems, before installing them to ensure the safety and effectiveness of the medical devices.