Twitter LinkedIn Share this page Facebook RSS


Drug / Device Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

FDA Announces Strengthened Focus On Cybersecurity

October 11, 2018 | Paul Penticuff and Megan Sterchi Lammert

CYBERSECURITY. In a statement issued from FDA Commissioner Scott Gottlieb, M.D., the FDA made clear the threat of cybersecurity attacks are no longer a theoretical discussion, but are present and as such steps must be taken to proactively address future threats. Such attacks are already here in other capacities, including attacks on financial institutions, government agencies, and health care systems. 

The FDA’s specific concerns revolve around attacks on patient medical devices. Cybersecurity researchers have found various vulnerabilities in patient medical devices that could result in bad actors gaining access and control over the patient’s medical device.   While “FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” the “risk of such an attack persists.” As a result, in an effort to instill confidence in both patients and providers that it can effectively address any reported medical device cyber vulnerabilities, the FDA has determined that it is important to address such a threat of an attack now.

In taking such proactive steps, the FDA announced it has coordinated with the MITRE Corporation to launch a cybersecurity “playbook” for health care delivery organizations, along with the “signing of two significant memoranda of understanding.” A “sneak peek” at the playbook shows it addressing the types of readiness health care delivery organizations should consider in order to be better prepared and address cybersecurity incidents involving their respective medical devices. The memoranda, among other actions, created such groups as information sharing analysis organizations, which are groups of experts (aimed to include manufacturers who share potential vulnerabilities and threats) that gather, analyze and disseminate important information about cyber threats.  

The FDA’s work in addressing cybersecurity threats dates back to 2013 with the establishment of its medical device cybersecurity program. The FDA has issued a premarket and postmarket guidance for manufacturers to consider in addressing their cybersecurity vulnerabilities and threats. While the FDA’s premarket guidance was finalized in 2014, it announced in this statement that it plans on publishing a “significant update to that guidance to reflect the FDA’s most current understandings of, and recommendations regarding, this evolving space.” One such example included providing customers with a list of cybersecurity bill of materials to ensure that device customers and users are able to respond quickly to potential cybersecurity threats. 

Finally, the FDA is taking steps to bring additional resources to build its medical device cybersecurity program, starting with its Fiscal Year 2019 Budget in order to establish additional “regulatory paradigms” to proactively address vulnerabilities and threats.

Be on the lookout for a future discussion of the FDA’s collaborative “playbook” with MITRE, as well as a posting on the FDA’s “significant update” to its 2014 premarket guidance.

For immediate, additional information about addressing cybersecurity breaches in medical devices, visit our prior posts addressing cybersecurity:

About Drug / Device Law Blog

The BSCR Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Angela Higgins Clark, and our Drug and Device practice.


The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


For Important Legal Updates and Resources on the Coronavirus Click Here.