We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Implanting cyber security by default into medical devices

8 February 2016

In January 2016 the Food and Drugs Administration (FDA) issued draft guidance (the Guidance) to assist medical device manufacturers in managing cyber security risks during the lifecycle of medical devices.

The Guidance primarily apply to “postmarket” and relates to (1) medical devices that contain software (including firmware) or programmable logic, and (2) software that is a held to be a medical device.

The Guidelines state that: “manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device. A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.”

The Guidance is open for comment and response until 21st April. To read the Draft Guidance in full please click here.

For more information please contact Robert Bond on +44 (0)20 7427 6660 or at robert.bond@crsblaw.com