All companies in this day and age must devote some attention to cybersecurity risks. Regardless of industry, almost every entity maintains some form of personally identifiable information that requires protection (e.g., credit card information, Social Security numbers, bank account information, etc.). However, the medical device industry has additional concerns – it must make sure that its Internet or WiFi connected devices do not provide potential for cybersecurity risks because failure to address cybersecurity vulnerabilities can result in compromised device functionality, loss of data, or exposure to security threats resulting in patient illness, injury, or death. Moreover, medical identity theft is on the rise, attributed largely to the worth of medical information to cyber criminals. As medical identify theft often takes time to detect, it allows criminals to accumulate significant amounts of information making it more valuable than other forms of fraud, such as credit card information which can be quickly detected and cancelled.

The devices posing the greatest risks are those such as implantable defibrillators, pacemakers, brain stimulators, dialysis devices, and insulin pumps which are connected to another medical or non-medical product, or to a network, or to the Internet.

In late January, the Food and Drug Administration (FDA) held a two-day program intended to inform medical device manufacturers and professionals that prescribe the devices about the steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. The information provided by the FDA was set forth a recently updated draft guidance the FDA published in October 2018 (the “Guidance”). Adapting the steps set forth in the Guidance will make it more likely the FDA will find the device meets the statutory standard for premarket review.

The FDA does not have the authority to regulate cybersecurity protections. However, the recommendations will be considered as part of the review process of bringing a medical device to market. Federal regulations state that a manufacturer must “establish and maintain procedures for validating the devices design” including “software validation and risk analysis.” 21 CFR 820.30(g). The Guidance states that part of the validation and analysis requires that manufacturers establish a cybersecurity vulnerability and management process, including design controls to endure medical device cybersecurity.

The Guidance states that the FDA considers medical device protection to be a shared responsibility among many including health care facilities, health care providers, patients, as well as manufacturers. The Guidance includes recommendations to:

  • Limit access to trusted users and devices
  • Create authentication and check authorizations of safety critical commands
  • Ensure trusted content by maintaining code, data, execution integrity
  • Verify data integrity
  • Maintain confidentiality of data
  • Design the device to detect cybersecurity events in a timely manner
  • Design the device to respond to and contain the impact of a potential cybersecurity incident

The complete Guidance can be viewed by clicking here. The FDA is accepting comments on the Guidance until March 18. We will continue to monitor these developments.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey M. Schlossberg Jeffrey M. Schlossberg

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals and is an editor of the firm’s EPL Risk Mitigation Blog.

Mr. Schlossberg has extensive experience in handling all aspects of the employer-employee relationship. Areas of concentration include: employment discrimination prevention and litigation; workplace harassment policy development and compliance; social media and information privacy in the workplace; family and medical leave; disability matters; wage and hour investigations and litigation; non-competition agreements; and corporate mergers and acquisitions.

Mr. Schlossberg has defended against claims such as sexual harassment, age, race, national origin and disability discrimination for public and private companies in industries such as media, technology, airline, aircraft components, restaurants, supermarkets, securities, medical, manufacturing, cosmetics, food processing, software, clothing, vitamins and nutritional products, and many other employers of varying size throughout the metropolitan area and across the country.

Mr. Schlossberg lectures frequently about various topics to trade and professional associations, such as the Hauppauge Industrial Association. Mr. Schlossberg is also an active member of the Nassau County Bar Association and is a Past Chair of the Nassau County Bar Association Labor & Employment Law Committee.

Mr. Schlossberg is an appointed member of the Employment Law Panel of arbitrators for National Arbitration and Mediation.