Medical Devices Development: Best Practices in Risk Management

Sterling Medical Devices

Play Video »

As technology becomes increasingly mobile and our devices more connected than ever, the risk of breaches to networks increases as well. In the case of networked medical devices, the impact may be life threatening without strong medical device cybersecurity. Because medical devices are part of this transformation into a more-connected world, the FDA has taken a strong interest in guiding manufacturers in a proactive manner for the safety of medical devices.

Medical Device Cybersecurity
Sterling Medical Devices builds cybersecurity right into the medical device.

What makes medical device cybersecurity particularly vexing is the pace of technological change. The iPod, iPhone, and iPad as well as Android operated devices were all introduced in the first decade of the 21st century. In between product launches and updates, operating systems are updated; sometimes very significantly, potentially impacting the medical device security between connected devices. The FDA has recognized the cybersecurity risk to medical devices and, in response, has issued guidance for manufacturers. First proposed in June 2013, the FDA guidelines were finalized in October 2014.

What are the FDA’s medical device cybersecurity concerns?

  • To the extent medical devices are connected via wireless, Internet, and other networked means, there is a risk they might not operate as intended.
  • The standard FDA approval process can take a long time, so being able to respond to cybersecurity threats in a more nimble manner will better protect the public.
  • Building in cybersecurity safeguards during the medical device design stage helps ensure new products will be released with benefits that outweigh the risks.
  • By their nature, each cybersecurity threat may take on its own new form, so it is unlikely that the FDA could ever devise a successful one-size-fits-all approach. The FDA itself sees the medical device cybersecurity threat as one that is always evolving.

Shared responsibility

  • The FDA sees the mitigation of cybersecurity threats as a shared responsibility of healthcare facilities, patients, providers, and device manufacturers.
  • For manufacturers, the FDA directs them to “develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety” (from Content of Premarket Submissions for Management of Cybersecurity in Medical Devices).
  • To the extent medical device cybersecurity risks are mitigated, there will be less threat of patient illness, injury, or death.

FDA direction to medical device manufacturers

  • Establish a cybersecurity vulnerability and management approach that identifies assets, threats, and vulnerabilities.
  • Assess the impact on functionality and on patients.
  • Assess the likelihood of the threat and the vulnerability being breached.
  • Determine risk levels and mitigation strategies.
  • Assess residual risk and risk acceptance criteria.

Why partner with Sterling to meet medical device cybersecurity challenges

  • Sterling has successfully guided over 400 client medical device projects through the FDA approval process.
  • Experienced and innovative team of medical device engineers to design, test, validate, and advise on medical devices, and navigate the FDA submission process with our clients.
  • Technical expertise in the rapidly developing intersection of mobile devices (smartphones and tablets) and portable medical devices.
  • Expertise with always-evolving FDA and other government regulations, 510(k) and Pre-Market Approval processes, as well as FDA and European classification of devices.
  • Up-front approach with clients so that they fully understand what it takes to get a medical device to market, the costs involved, realistic time frames, and how to navigate the process.
  • Agile project management that helps clients focus on what is important as their device moves forward in the approval process, eliminating extraneous device elements that could threaten medical device cybersecurity and other risks.
  • The FDA’s focus on ensuring the safety of medical devices and Sterling’s focus on designing the best-possible and most-compliant medical devices both aim to improve the health of patients.

Want to learn more about how your device can be at risk?

Read our article, Is Your Medical Device an Entry Point for a Cyber Attack?