Postmarket Management of Cybersecurity in Medical Devices

Shared by Safeguard Scientifics’ Blog

Over the last 18 months, an alarming number of medical device companies’ challenges with data security have been exposed.

In 2015, Hospira’s LifeCare PCA3 and PCA5 devices were found to have security vulnerabilities that prompted a recall. In 2016, St. Jude’s Merlin@home™ remote cardiac monitoring devices were found to require security updates after research firm MedSec found dangerous snags that could possibly lead to patient harm. While these security issues were discussed publicly in the press, one can only imagine the conversations behind the scenes at other medical device vendors around the country.

This increased concern about cybersecurity for medical devices prompted the Food and Drug Administration (“FDA”) to release a guidance document entitled “Postmarket Management of Cybersecurity in Medical Devices”. While some device vendors have assumed that the “guidance” nature of this document makes its recommendations optional, the FDA has taken the position that device manufacturers are required to ensure the safety and efficacy of medical devices in the face of this evolving cybersecurity landscape. Therefore, if a vendor is choosing not to follow this guidance, it must have another cybersecurity strategy with similar efficacy in order to avoid regulatory scrutiny.

Click here to read the full post.


©2016 PACT All Rights Reserved