FDA’s Medical Device Safety Action Plan Includes Promising Cybersecurity Proposals

ANN ARBOR, MI, April 17, 2018 – The U.S. Food and Drug Administration (FDA) released a safety action plan today that includes several proposals designed to improve the cybersecurity of medical devices. The Association for Executives in Healthcare Information Security (AEHIS) supports the FDA in its efforts and welcomes the opportunity to work with the FDA to protect patients who rely on medical devices for life-saving treatments.

“The challenges of protecting medical devices from cyberattacks is a hot topic within our association,” said Erik Decker, AEHIS chair and chief security and privacy officer at University of Chicago Medicine. AEHIS has consistently advocated for policies that bring greater protections to the healthcare sector and transparency for providers who purchase these devices. “We believe all parties understand this challenge is a shared responsibility; today’s FDA announcement is an important step toward furthering this goal.”

The report, “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health,” outlines plans to improve the safety of medical devices throughout their life cycle. Plans specific to cybersecurity include:

  • Considering potential new premarket authorities to require firms to build capability to update and patch device security into a product’s design and to report this capability in the device’s premarket submission.
  • Developing a “Software Bill of Materials” that must be provided to FDA as part of a premarket submission and made available to medical device customers and users.
  • Updating the premarket guidance on medical device cybersecurity to better protect against moderate and major risks.
  • Considering new postmarket authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.
  • Exploring the development of a public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and FDA. 

The complete report is available here.

About AEHIS The Association for Executives in Healthcare Information Security (AEHIS) was launched in 2014 to provide an education and networking platform to healthcare’s senior IT security leaders. With more than 800 members, AEHIS is advancing the role of the chief information security officer (CISO) through education, collaboration, exchange of best practices and advocacy in support of secure health information for the protection of both healthcare organizations and consumers. For more Information, please visit aehis.org.

Candace Stuart
Director of Communications and Public Relations, CHIME
[email protected]