FDA’s Five-Point Action Plan to Enhance Medical Device Cybersecurity


The medical devices that have come out in the market have increased in the past few years. The devices have been very helpful in allowing healthcare providers manage the health of their patients. But there are concerns being raised on the issue of medical device cybersecurity.  

When patients use medical devices, sensitive information is collected, stored, received and transmitted through the systems to which they connect. While this has obvious healthcare benefits, it introduces a risk that could expose the patients’ protected health information.

The FDA reports that there were many novel devices approved for use in the U.S. in the past year. Developing novel devices is encouraged to address health needs. The FDA has been working with healthcare providers, device manufacturers and patients to understand and balance the risks and benefits associated with the devices to protect consumers.

In an effort to reduce risks, the FDA developed a five-point action plan. The plan encourages the development of new devices that address unmet health needs. At the same time, it enhances security controls to protect patient privacy and confidentiality. The FDA’s medical device center as well as the premarket and postmarket offices will be working on the plan. The expert staff in both offices will help in optimizing decision-making.  

The FDA will be using the ‘Total Product Life Cycle’ (TPLC) approach to determine the safety of devices for the entirety of their lifespan. The risks of using the devices are evaluated before they are made available in the market. However, the risks are often not totally understood until the devices are released and used by patients in different settings. When risks are identified in postmarket devices, the FDA will explore different regulatory options to make sure that the devices are updated and security patches are applied to fix vulnerabilities.

The FDA regulates the labeling of medical devices so that providers are aware of the devices’ safety and effectiveness. But additional training for providers and education for users of the devices is under consideration. The FDA will be developing scientific tool kits that the manufacturers can use to be sure that premarket devices pass the safety standards.

The FDA is finding ways to streamline and speed up the review of devices in order to encourage manufacturers to incorporate advanced cybersecurity controls on medical devices. The FDA currently promotes a “multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery and resilience” in ensuring devices are safe for the duration of their life cycle.

The agency is also looking to create a public-private CyberMed Safety Analysis Board that will resolve issues concerning medical devices. Clinicians, biomedical engineers and cybersecurity experts will become members of the board. They will serve as advisers of the FDA and device manufacturers regarding cybersecurity issues and adjucating disputes.