May 25, 2020

May 22, 2020

Subscribe to Latest Legal News and Analysis

New FDA Guidance Addresses Medical Device Cybersecurity for Internet of Things

In 2017, numerous cybersecurity concerns relating to the Internet of Things (“IoT”) will emerge. IoT “refers to the ability of everyday objects to connect to the Internet and to send and receive data.” The network of “things” embedded with electronics, software, and sensors designed to exchange data is expected to grow to at least 50 billion by 2020.

Modern medical devices – such as pacemakers, insulin pumps, and defibrillators – use software and are connected to the networks of hospitals and other health care organizations. As a result, the safety and effectiveness of essential medical devices can be vulnerable to cybersecurity threats from sophisticated hackers – jeopardizing the health of dependent users. Indeed, a report released in August 2016 controversially asserted that pacemakers could be hacked and caused to malfunction.

In today’s world, cybersecurity threats are real, ever-present, and continuously changing. The protection of connected medical devices from cybersecurity threats involves continuous maintenance throughout the product’s lifecycle, not just during development. Without proper care, post-market innovations, features, and updates that improve a device’s function over time can inadvertently open the door to cybersecurity risks.

Final guidance issued December 28 by the Food and Drug Administration, titled “Postmarket Management of Cybersecurity in Medical Devices,” addresses the issue of continuous post-market management of such cybersecurity risks – to ensure that devices remain secure after they are put to use. In addition, the guidance clarifies when software updates to address cybersecurity vulnerabilities must be reported to the FDA – slowing down potential remedies – and when this step can be omitted.

The new guidance is very close to the draft guidance released in January 2016.

In light of the new guidelines, medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks. Among other things, manufacturers should:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices;

  • Understand, assess, and detect the level of risk a vulnerability poses to patient safety;

  • Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities;

  • Deploy mitigations such as software patches to address cybersecurity issues early, before they can be exploited and cause harm; and

  • Provide implementation guidance to medical professionals deploying the devices in patient settings.

In short, device manufactures must learn to behave less like traditional device makers and more like software designers. The new guidance applies to all medical devices, including those already out on the market.

Copyright Holland & Hart LLP 1995-2020.


About this Author

C. Matt Sorensen, Holland Hart, regulatory compliance attorney, data breach management lawyer

Mr. Sorensen is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E), focusing his practice on domestic and international data privacy and cybersecurity law. He advises companies across industries on breach prevention, cyber-attack preparedness, information governance,  regulatory compliance, and data breach management. In particular, he helps clients understand how to create and implement effective compliance programs and controls...

Patricia Pia Dean, Holland Hart, healthcare lawyer, regulatory matters attorney, medical

Health care law, in all its many aspects, is Ms. Dean's passion. Her desire to better serve her clients and understand healthcare laws and regulations in depth led her in 2010 to return to school to begin obtaining her masters of law (LL.M.) in health law. Her education, coupled with her years representing clients in health law related matters, provide her clients with sophisticated counsel on a wide range of issues, including healthcare transactions, regulatory matters, practice formation, government investigations, medical ethics, and physician integration.

She is immersed in efforts at both the federal and state levels to reform healthcare and address its rising costs. She has extensive knowledge of the Patient Protection and Affordable Care Act, health benefit exchanges, accountable care organizations, and Medicare/Medicaid reforms.

Kim C. Stanger, Holland Hart, Health care Lawyer, HIPAA Attorney, Technology

Clients in the healthcare industry trust Mr. Stanger to provide sophisticated and nuanced counsel on everything from simple healthcare transactions to more complicated regulatory matters.

Mr. Stanger guides clients through simple and complex healthcare transactions, including practitioner and payor contracts; joint ventures; practice formations, acquisitions, and mergers; conversions; and physician integration. He helps clients comply with numerous laws and regulations governing healthcare, including Stark, the Anti-Kickback Statute, HIPAA,...

Romaine C. Marshall, Holland Hart, Software Technology Litigation Lawyer, Arbitration Attorney

Mr. Marshall is a litigation and trial attorney in the Salt Lake City office who represents businesses in the software, technology, financial and technical services, and energy and natural resources industries. He distills complex factual and legal issues to effectively persuade judges, juries, and opposing parties at trial and arbitration. He also counsels clients how to avoid the business expense and disruption of litigation and trial through settlement, pretrial dispositive relief, and other dispute resolution options. Mr. Marshall has represented clients in disputes...