Bloomberg Law

In recent years, there has been a vast increase in data breaches targeting health-care organizations. Cybersecurity threats and vulnerabilities in medical devices are evolving to become more sophisticated, which comes with new risks to patients and clinical operations that were not previously considered. While the U.S. Food and Drug Administration (FDA) has reported that it is not aware of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient, the risk of such an attack persists. Any cybersecurity attack on medical devices connected to a network can severely impact patients who are using those medical devices.

Authors: Kimberly J. Gold Robert Kantrowitz

FDA has taken these potential threats seriously, and according to FDA Commissioner Scott Gottlieb, the agency “has been working to stay a step ahead of these changing cybersecurity vulnerabilities, including engaging with external stakeholders.” FDA believes that, by taking proactive steps, it can help ensure that the health-care sector is well positioned to preemptively respond when cybersecurity vulnerabilities are identified in FDA-regulated products. In particular, FDA, through its Center for Devices and Radiological Health (CDRH), has taken a holistic, systematic approach to building its medical device cybersecurity program, as well as establishing a platform that emphasizes the importance of shared responsibility by the industry and other stakeholders. CRDH’s medical device cybersecurity program launched in 2013 with the establishment of a Cybersecurity Working Group, created to respond to concerns and actively address the need for innovative approaches and policies in medical device cybersecurity. Soon after, FDA began to focus on cybersecurity regulatory considerations, mostly in the form of recommendations for product developers and manufacturers at “each stage of a product’s life cycle.”

To read the full article, please visit bloomberglaw.com.