All medical devices carry a certain amount of benefit and risk. The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. Medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats, Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The heath care environment is complex and manufacturers, hospitals, and facilities must work together to manage security risks. The FDA’s recommendations for mitigating and managing cybersecurity threats include:
- Medical device manufacturers (MDMs) and health care delivery organizations (HDOs) should take steps to ensure appropriate safeguards are in place. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. These organizations are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Health care delivery organizations should evaluate their network security and protect their hospital systems.
AdvaMed has also developed foundational cybersecurity principles for its members use. The principles include:
- Establishing a cybersecurity risk management program to include premarket and postmarket considerations
- Device cybersecurity is a shared responsibility
- Establishing coordinated disclosure policies
- Participating in information sharing programs
- Regulators, manufacturers and security experts must work together to develop standards and regulations
Click here to download our cybersecurity principles.