Federal medical regulators have released final guidance to address the postmarket management of medical device cybersecurity. The issuance of the 30-page document comes just four months after hacking concerns involving St. Jude Medical’s Merlin@home monitoring system highlighted the potential threats currently facing the industry.
“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, life cycle approach that begins with early product development and extends throughout the product’s life span,” Dr. Suzanne Schwartz, an associate director with FDA medical device division, wrote on the official FDA Voice blog.
The FDA has been warning the medical device industry of hacking threats for years, and first released draft guidance last January. The final voluntary guidance applies to medical devices currently on the market, and recommends that manufacturers monitor, identify and address cybersecurity vulnerabilities as part of the postmarket strategy for their products. The final document also directs manufacturers to report security problems to regulators as soon as possible if they have resulted in patient harm. Some FDA reporting obligations are waived for dangerous vulnerabilities that have not been linked to patient injury, so long as the manufacturer informs customers and users of the problem within 30 days, issues a fix within 60, and meets certain other requirements.
According to the FDA’s website, the agency has scheduled a webinar for January 12th to answer questions on the guidance document. Advanced registration is not required.
The release of the FDA’s guidance comes in the wake of several high-profile controversies that have raised concerns about the potential for hackers to target networked medical devices, including pacemakers and insulin pumps. In August, for example, the Muddy Waters investment group published a report claiming that certain of St. Jude Medical’s implantable cardiac devices, especially those bundled with the Merlin@home remote monitoring system, suffered from significant cybersecurity vulnerabilities. Muddy Waters predicted that the devices would eventually need to be recalled, and speculated that any products liability litigation related to the controversy could ultimately cost the company as much as $64 billion. St. Jude has denied the allegations.
In October, Jonson & Johnson warned of a vulnerability affecting Animas OneTouch Ping insulin pumps that could allow a hacker to remotely cause an insulin overdose. And in 2015, the FDA warned hospitals to stop using Hospira’s Symbiq infusion pumps due to a cybersecurity problem that could allow hackers to alter a patient’s dosage by tapping into a facility’s network.