Tag Archives: medical devices


What The FDA’s Postmarket Management of Cybersecurity in Medical Devices Means for Manufacturers of Medical Devices

The FDA‘s guidance on “Postmarket Management of Cybersecurity in Medical Devices”[PDF] is a complementary document for the 2014’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF]. The 30 pages of the guidance contain detailed recommendations, and the manufacturers of medical devices need to study them thoroughly.

The guidance is consistent with the cybersecurity guidelines set by the U.S. Government for other industries such as power grids and financial organizations and aims to protect critical infrastructures from cyber threats. Since most of the medical device manufacturing is in the private sector, the guidance also aims to facilitate cooperation between the public and private actors in preventing and mitigating cyber attacks.

Key Highlights

#1. Medical devices: the guidance applies to medical devices containing software, firmware, programmable logic, as well as mobile medical devices and applications, and devices that are part of interoperable systems – the legacy devices already in use, or on the market.

The agency explains the scope of medical devices has increased to include any device that is connected to computer networks and can, therefore, be compromised.

#2. Patient Harm (IV): the guidance stresses the importance of risk-based assessments of cybersecurity vulnerabilities that could cause patient harm. Of note: Patient Harm replaces Essential Clinical Performance that was present in the draft version. Patient harm definition is aligned with ISO 14971.

Interestingly, the guidance excludes compromise of private data from the definition of patient harm and refers to HIPAA for privacy protection recommendations.

#3. Evaluation of Risk of Patient Harm (VI) is the key purpose of the cyber-vulnerability risk assessment that needs to define if the risk of patient harm is:

  • controlled/acceptable (low probability of an exploit harming patient health)
  • or uncontrolled/unacceptable (high probability of an exploit harming patient health).

The agency suggests a matrix to evaluate risk acceptability, involving:

  • the exploitability of the vulnerability
  • the severity of patient harm in case the vulnerability is exploited

Of special note here is the recommendation to adopt a vulnerability disclosure policy and recognize that mitigation changes may affect the device’s performance.

#4. Postmarket Considerations (V) section introduces recommendations to deploy robust cybersecurity risk management program throughout the entire product lifecycle. The FDA emphasizes that such programs must include:

  • Monitoring information sources (ISAO, customer complaints, service records) for news on new vulnerabilities and threats.
  • Deploying threat modeling to define how to maintain safety and essential performance.
    Implementing mechanisms for monitoring third-party software for emerging vulnerabilities during the device’s entire lifecycle; and design verification and validation for software updates and patches for vulnerabilities, including those in Off-the-shelf software.

The cybersecurity program needs to be comprehensive, systematic, thoroughly documented and in compliance with the Quality System Regulation (21 C.F.R. Part 820). NIST has a guidance on cybersecurity programs for manufacturers, and the FDA’s guidance contains an Appendix “Elements of an Effective Postmarket Cybersecurity Program.” It encompasses five elements -1) identify; 2) protect or detect; 3) protect/respond/recover; 4) mitigate risks to safety and essential performance.

#5. Maintaining Safety and Essential Performance (V) links cybersecurity risk management to safety, essential performance, threat modeling, and mitigation actions.

Controlled risks can be patched in a routine update. They fall under the “cybersecurity routine updates and patches” group. These patches are not considered as repairs and do not call for reporting under 21 CFR 806. If a manufacturer holds a PMA, an annual 21 CFR 814.84 report needs to mention the patch.

Uncontrolled risks must be patched as soon as possible in the form of a patch, update or a temporary “fix” (for example, disabling the Internet connectivity). It is advisable to start with a quick temporary fix to ensure patient safety, and then proceed with a permanent patch in cases when a permanent patch takes some time to design and deploy. Manufacturers must report these fixes to the FDA (21 CFR part 806).

#6. Reporting exceptions. The FDA waives the 21 CFR 806 reporting if the three requirements are met:

  • No deaths or other serious adverse events happened due to the vulnerability.
  • The manufacturer has notified users of an available fix (temporary or permanent) no later than 30 days of learning of the vulnerability. The manufacturer has instructed the users on how to apply the fix.
  • No later than 60 days after learning about the vulnerability, the manufacturer fixes it, validates the change and distributes the patch. The manufacturer should follow-up with end-users after the distribution of patch.
  • The manufacturer is a member of an ISAC/ISAO.

#7. Criteria for Defining Active Participation by a Manufacturer in an ISAO (IX) urges the manufacturers to participate in the Information Sharing Analysis Organization.

ISAO/ISAC – Information Sharing & Analysis Committee/Organization, non-profit, industry-specific organizations created to let the members share knowledge about data security. Members of these organizations have a few legal exemptions that apply to the information they share. NH-ISAC is an ISAC, where the National Healthcare organization is a partner.

#8. Impact on Industry

The basic principles of NIST framework must be adopted in the manufacturers’ cybersecurity program. Take into account medical device cybersecurity throughout the entire product lifecycle. Pre-market, manufacturers should incorporate cybersecurity management inputs and design an approach that would determine:

  • Assets and vulnerabilities;
  • How threats/vulnerabilities may cause Patient Harm;
  • The likelihood of threats;
  • Risk levels based mitigating promptness and strategies;
  • Residual risk assessment, and risk acceptance criteria.

Manufacturers must define the risk of patient harm, identify the cybersecurity vulnerabilities of their devices, assess and classify the existing risks and engage in remediation. A proper documentation of the process is expected.

Health IT community must engage in better information sharing. The FDA encourages the medical device manufacturers and the health IT community as a whole to collaborate closer in ISAO and ISAC to facilitate threats identification and remediation. The FDA Center for Devices and Radiological Health (CDRH) also encourages the fostering of ISAOs and the role of NH-ISAC. The manufacturers of medical devices should consider joining an ISAC to:

  • Have access to information and intel about the cyber threats.
  • Be exempt from some reporting requirements under 21 CFR 806 (uncontrolled risks).
  • Have access to the community where manufacturers can share information exempt from regulatory use and civil litigation, and the federal Freedom of Information Act, given the data shared meets the requirements of the Critical Infrastructure Information Act.

Manufacturers must understand and comply with the mandatory reporting requirements under 21 CFR 806. One of the most complex points since reporting is difficult to draft and apply and raises concerns about proprietary data protection.


The FDA has been explicit that manufacturers must deploy the comprehensive cybersecurity and risk analysis – over the entire lifecycle of a medical device. The primary focus of the analysis is the risk of patient harm. The guidance includes legacy and mobile devices in the scope of medical devices, recognizing that connectivity increases the chances of a device compromise.

The good news is the reduced reporting to the agency in certain cases, and ways to disclose vulnerabilities without assuming a litigation risk.

At this point, manufacturers should acknowledge the FDA’s increasing attention to cybersecurity, and take these recommendations as seriously as possible. As medical devices become more connected and smart than ever, we can expect that some of the recommendations, if not most, could become mandatory in the foreseeable future.

IEC 6070-1

The Impact of the IEC 60601 Standard on the Healthcare Industry

IEC 60601-1 is the primary standard governing the design of medical devices. While not all countries have adopted IEC 60601-1 as the standard, globally it has become the de facto international benchmark for the design of electronic medical devices.

IEC 60601-1 is a standard intended to be applied to all electro-medical devices traded internationally as a requirement for bringing new medical devices to market. 60601 was first published in 1977 and has been revised many times. The most recent revision, 60601 3rd edition was published in 2005. It was adopted in 2006 by the European Union impacting international medical device manufacturers. In January, 2014, the U.S. started enforcement of the 3rd edition of IEC 60601 for new medical devices (medical devices already on the market on this date were excluded from this enforcement).

There has been a great deal of focus on the standards set by IEC 60601. What are the particulars involved in this set of standards and why is it so important for healthcare administrators to purchase products that adhere to them? Let’s take a deeper look at the details surrounding IEC 60601 and the impact that it has on the healthcare industry.

Designing in Safety: Medical Electronic Manufacturers and IEC 60601

Designing an electronic device that can be used within the clinical setting and meets the standards set out in IEC 60601 is a long process. One of the biggest challenges that manufacturers face when it comes to developing electronic devices is making sure that the instruments in question sufficiently address issues of safety. The IEC 60601 standard was created to directly address these issues. The IEC 60601 standard addresses the risks associated with the use of electrical medical equipment. Purchasing a device that complies with the 60601 standard ensures that the device has gone through a complex series of testing before it is certified ready to bring to market.

Devices Covered by the IEC 60601

There are a varied number of devices that fall under the purview of the IEC 60601 standard. Devices that are used to diagnose, treat, or monitor patients and have one connection to an energy supply are covered by the standard. Should a device have physical contact either directly or indirectly with a patient and transfer energy such as electrical currents to or from the patient, then the device is covered by the regulations set by IEC 60601. Examples of products that are covered by this standard include infusion pumps, endoscopic cameras, MRI and gamma imaging systems, battery operated medical devices, accessories that may be associated with these devices, etc.

Evaluating Hazards Associated with the Use of Electronic Medical Devices

A primary focus that the IEC 60601 standard addresses is the exposure of both users and patients to hazards associated with electronic medical devices. A device that strictly complies with IEC 60601 ensures that hospital administrators, patients, and healthcare practitioners have reduced risks associated with the use of medical grade electronics. An example of this are the risks associated with the energy output of certain electronic medical devices. IEC 60601 directly addresses this issue through stringent rules on the design of medical devices so as to prevent any patient or operator from unintended exposure to electrical currents.

Non Conforming devices

Many hospitals & medical facilities have used traditional desktop computers, towers and all in ones produced by the big three throughout their operations ranging from operating rooms to patient registration and nursing stations. Such computers are not certified to IEC 60601 standards and present a potential risk to both the patient and healthcare practitioners that may cost hospitals millions in potential legal actions.

Manufacturers who create products that adhere to the IEC 60601 standard get to ensure that their devices meet product safety requirements from the initial design phase. This approach directly benefits patients & healthcare providers.