U.S. FDA on Cyber security of Medical Devices

U.S. Policy on Medical Devices: The Department of Health and Human Services, Food and Drug Administration

All legally-marketed medical devices have benefits and risks.

The FDA allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients.

These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. Threats and vulnerabilities cannot be eliminated, therefore, reducing cybersecurity risks is especially challenging. The heathcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.

EU regulations: The European regulatory framework ensures the safety and efficacy of medical devices and facilitates patients’ access to devices in the European market. 

With patient health and safety as a guiding principle, the Council and the Parliament adopted on 23 April 2020 Regulation 2020/561 amending Regulation (EU) 2017/745 on medical devices regarding application dates of certain of its provisions with a greater focus on security and safety. Due to the COVID-19 crisis, the date of application for most Medical Devices Regulation provisionsare postponed by one year – until 26 May 2021. This postponement takes the pressure off national authorities, notified bodies, manufacturers and other actors so they can focus fully on urgent priorities related to the coronavirus crisis.

PANACEA perspectives: PANACEA has two open calls related to medical devices supporting the development of its cybersecurity toolkit. 

Lookout Watch entry date: 25/01/2020