Will Different Medical Devices Call For Different Cyber Standards?

Whitney Blair Wyckoff | FedScoop | October 29, 2014

An increasing number of medical devices, from pacemakers to insulin pumps, include components that could open them to cyber vulnerabilities. So will the Food and Drug Administration start taking into account the differences in these devices as the agency evaluates premarket submissions?  “Over time as we accumulate experience with the provided cybersecurity risk assessments, there will be a repertoire that we identify with and then look for in other submissions,” Seth Carmody, a staff fellow with FDA’s Center for Devices and Radiological Health.

Carmody made the comments during a 1.5-hour webinar Wednesday during which members of industry posed specific questions about medical device cybersecurity guidance released this month. The event comes a week after Reuters reported that the Department of Homeland Security was investigating at least two dozen cases of possible cybersecurity flaws in medical devices.  Questions during the webinar dealt with a range of issues, including what the reporting requirements are for updating software, what kinds of devices the guidance encompasses and how to include information about cybersecurity risk mitigation in application submissions.

In the guidance, FDA said that manufacturers should incorporate specific controls within their products to combat cybersecurity risks, and they should factor in patients’ risks and the environment in which the device is used. The agency also indicated that device security falls to device manufacturers, health care facilities and patents alike.  Abiy Desta, from the Office of the Center Director at FDA’s Center for Devices and Radiological Health, in response to a question during the webinar, said that reviewers who evaluate premarket submissions receive training about guidances, and they have access to subject matter experts that can help with questions...