LinkedIn Twitter Facebook Share this page RSS


Drug / Device Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 3 of 3)

January 24, 2017 | Megan Sterchi Lammert

The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Best Practices to Prepare, Mitigate, and Otherwise Manage Vulnerabilities and Potential Cybersecurity Attacks

Continuing from our two prior posts in this three-part series on effectively addressing cybersecurity breaches in medical devices, this third and final post will focus on best practices to prepare, mitigate and otherwise manage vulnerabilities and potential cyber-attacks.

Best practices to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks

The FDA has issued both pre-market considerations[i], which consists of proactively addressing vulnerabilities, and post-market considerations[ii], which consists of mitigation, remediation, and other risk management strategies, to aid in addressing today’s issues of medical device vulnerabilities and potential cybersecurity attacks on those devices. For more details on the FDA’s post-market guidance, see our prior series "FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices" posted in four parts here, here, here, and here.

The pre-market considerations include, (1) identifying assets, threats, and vulnerabilities; (2) assessing the impact of threats and vulnerabilities on device functionality and end users/patients; (3) assessing the likelihood of a threat and of a vulnerability being exploited; (4) determining risk levels and suitable mitigation strategies; and (5) assessing the residual risk and risk acceptance criteria.[iii] The manufacturer’s pre-market submission effectively includes the pre-market considerations that have been brainstormed thus far, such as all hazard analysis, mitigation and design considerations associated with the potential cybersecurity risks of a specific medical device, summary of plan for cybersecurity updates and patches, a matrix and summary showing and discussing cybersecurity controls and the risks they face, and device instructions for the specific product as to recommendations on how to properly use and secure the device.[iv]

Even after rigorous testing and risk assessment in the pre-market consideration and submission phase, given the rapid pace of technology today, medical device manufactures and companies should never stop evaluating the potential vulnerability of their devices or considering how to mitigate and remediate the same.[v] Mitigation is a risk management strategy used to minimize the impact of a cybersecurity attack on medical devices and the systems to which they are connected or networked, which takes into consideration the risk is the outcome of an attack and the aspect of security it affects.[vi] Remediation consists of an action or actions that are taken to reduce the risk to the medical device’s essential clinical performance to an acceptable level, including, but not limited to finding an official fix or solution to remove a cybersecurity vulnerability, using a compensating control, such as notifying the consumer base about a temporary fix or other work-around solution), to adequately mitigate the risk.[vii] One remediation strategy is to engage in cybersecurity “routine updates and patches,” which involves updates or enhancements or patches to a medical device. These updates and patches provide an increase in the medical device’s security and help to remediate the device’s vulnerabilities linked to the device’s controlled risk, while also not reducing the risk to a patient’s health. Such updates and/or patches included, but are not limited to, software, firmware, and hardware updates.

Other post-market considerations issued by the FDA include as follows: (1) monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk, which may require auditing of the network and immediately reporting any security breach,[viii] (2) understanding, assessing and detecting presence and impact of a vulnerability; (3) establishing and communicating processes for vulnerability intake and handling; (3) clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk; (4) adopting a coordinated vulnerability disclosure policy and practice; and (5) employing mitigations that address cybersecurity risk early and prior to exploitation.

Other all-around best practices[ix] discussed by the FDA have been to:

1.    Limit access to only trusted users through the use of such things as passwords, usernames, smartcards, biometrics, automatic timers, and physical locks;[x]

2.    Ensure that only trusted content is within the device and/or system by such means as restricting updates to the same or using encryption;[xi]

3.    “Detect, respond, and uncover,” which can be accomplished by using procedures and features that alert security compromises, educate the end user(s) on detections of security breaches, and provide methods for retention and recovery of devices;[xii]

a.    These elements are consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover);[xiii]

4.    Create a structured and systematic approach to risk management and quality management systems consistent with 21 CFR part 820, which would include methods to identify, characterize, and assess a cybersecurity vulnerability and methods to analyze, detect, and assess threat sources;[xiv]

5.    Be proactive! Practice good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable;

6.    Remediate by finding an official and/or temporary fix to cybersecurity vulnerabilities to reduce the risk of compromise to essential clinical performance to an acceptable level;

7.    Keep in contact and maintain a solid, formal business relationship with any software vendors to ensure they are providing you timely information about any quality and/or security problems that you can correct and/or prevent; and[xv]

8.    Incorporate elements consistent with the National Institute of Standards and Technology Framework for Improving Cybersecurity Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond and Recover).


The threat that a pacemaker will be hacked by foreign terrorists may be low, but the risk of devastating and life-threatening cybersecurity attacks in medical devices and healthcare is significant. To ensure the future protection of medical devices in a networked world, device manufacturers, regulatory bodies, healthcare providers and patients must engage in a coordinated proactive approach that includes standard cybersecurity assessment and control, together with specific medical device data and workflow considerations.

Read part one of this series on navigating the medical device field and vulnerabilities of medical devices here and part two on cybersecurity and attacks on medical devices here.

[iii] Supra, note 1.

[iv] Id.

[v] Patricia AH Williams, Andrew J Woodward, Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem, Med Devices (Auckl). 2015; 8: 305–316.

[vi] Id.

[vii] Supra, note 2.

[viii] Williams, Woodward, supra note 5.

[ix] U.S. Food and Drug Administration, Cybersecurity, May 10, 2016.

[x] Supra note 1.

[xi] Id.

[xii] Id.

[xiii] Akin Gump Strauss Hauer & Feld LLP, Medical Device Alert, January 28, 2016.

[xiv] Supra note 2.

About Drug / Device Law Blog

Baker Sterchi's Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about our Drug and Device practice.


The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


For Important Legal Updates and Resources on the Coronavirus Click Here.