New FDA guidance calls on the medical device community to be more proactive when it comes to developing a solid set of cybersecurity controls


new FDA guidance calls on the medical device community to be more proactive when it comes to developing a solid set of cybersecurity controls to assure safety and efficacy for users.

However, the agency isn’t putting the entire onus on medical device manufacturers. FDA “recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers” and device makers. Those are comforting words, but we all know the buck ultimately stops with manufacturers. The key is to be prepared for any eventuality.

For the most part, FDA’s recommendations fall under the Basic Common Sense category. However, it is still valuable to understand an FDA Inspector’s general marching orders if they come calling at your facility.

Here are some of the more important items on FDA’s list of expectations:

  • Manufacturers should consider the balance between cybersecurity safeguards and the usability of the device in its intended environment, e.g. home. Security controls should not unreasonably hinder access to a device to be used during an emergency situation.
  • Tighten password policies to include, as needed, user authentication, session timeouts, and strengthen password protection.
  • Ensure capability of secure data transfer to and from the device, and when appropriate, use methods of encryption.
  • Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised.

The agency also outlined the type of documentation it hopes to see in a premarket submission of a medical device, including a:

  • Hazard analysis that demonstrated a clear understanding of potential threats and a list and justification for all cybersecurity controls.
  • Traceability matrix that links actual cybersecurity controls implemented and risks considered.
  • Summary describing the controls in place to assure that the medical device software will maintain its integrity.
  • Summary describing the plan for providing validated, software updates and patches as needed through the lifecycle of a medical device.

The guidance also includes a list of FDA recognized consensus standards. That can be found here.

About AssurX, Inc.

AssurX, Inc. provides global companies with enterprise quality management systems and regulatory compliance software solutions. AssurX’s flexible, all-in-one system automates quality and compliance related processes so issues can be centrally managed—from detection to corrective action and trend analysis. It helps collect, organize, analyze and share information to better manage risk and improve quality and compliance performance everywhere in the enterprise.

For the latest industry insights and updates go to