FDA Releases Guidance on Protecting Patient Information on Medical Devices

Patient information is increasingly being stored on networked devices, and hackers, likewise, are more intent than ever on getting their hands on that information. Accordingly, the US Food and Drug Administration has responded with non-binding guidance for developers on protecting patient data.

The guidance document, released October 2, 2014, “provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management.” The scope of the guidance, as defined by the FDA, “is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.”

Cybersecurity should be approached as a shared responsibility by healthcare facilities, patients, and manufacturers, according to the FDA, and their strategy should include the following elements:

  • Identification of assets, threats, and vulnerabilities
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients
  • Assessment of the likelihood of a threat and of a vulnerability being exploited
  • Determination of risk levels and suitable mitigation strategies
  • Assessment of residual risk and acceptance criteria


Click here to read the recommendations, and submit comments to http://www.regulations.gov.


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!