FDA to bolster cybersecurity of medical devices

Prompted by a series of computer security problems in medical devices, FDA is taking steps to make sure companies do as much as possible to defend against hacking and other threats.

Prompted by a series of computer security problems in medical devices, FDA is taking steps to make sure companies do as much as possible to defend against hacking and other threats. Agency staff members are closely examining companies’ preparations for potential computer-hacking threats to medical devices, according to an audit report published Tuesday by the inspector general office at HHS. "It's a fairly good story in terms of what FDA is doing on the cybersecurity front. As we dug into their processes further, however, we identified areas where there was room for improvement," said Abby Amoroso, the deputy regional inspector general who served as team leader for the study. The guidance involves having FDA make changes to its internal processes to make sure it asks questions about medical device cybersecurity earlier in the device-approval process, and to ensure such questions are asked uniformly when new device submissions are made. New rules under consideration at FDA could require device makers to create and distribute a “software bill of materials” that would identify all of the software that comes standard on a device. The agency is also considering forming a public-private CyberMed Safety Analysis Board that would assess high-impact cyber problems serve as a "go team" to investigate potential and actual device compromises at FDA’s request.