FDA promotes cyber security
standard for medical devices

The FDA has recognised and encouraged the use of a consensus standard to help medical device manufacturers address cyber security concerns.

The American National Standards Institute and Association for the Advancement of Medical Instrumentation published its standard SW96:2023, which provides requirements on methods to perform security risk management for medical devices. The FDA said that this standard aligns with existing international safety risk management standards and quality systems defined by ISO 14971 and provides direction to sponsors on how to address cyber security risks in device design and development.

“From an operational perspective, the recognized and defined medical device security consensus standards are very helpful for hospitals and health systems. These measures provide clearly defined and consistent security standards to help evaluate possible cyber risk associated with new medical devices and emerging technology among vendors.

“The standards also highlight the need for manufactures to communicate and coordinate with health care delivery organizations to assist in the identification and management of security risks.

“It is recommended that hospital and health system clinical engineering and cyber security teams conduct a coordinated review of the defined consensus standard to ensure that newly purchased medical devices and technology, subject to these standards, are in compliance,” said John Riggi, AHA’s national advisor for cyber security and risk.

As well as recognising the standard, the FDA has also encouraged device manufacturers to endorse it. “We encourage the use of this new standard to enhance quality and support product performance,” the agency said.

Earlier this year, infusion pumps sold on secondary markets in the US were found to still carry sensitive information about the hospitals that once owned them, with a 2022 study conducted by cyber security firm Palo Alto Networks revealing that as many as 75% of smart infusion pumps out of 200,000 connected to hospital networks may be vulnerable to digital attacks.

Further reading:

Recognised consensus standards: medical devices: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/detail.cfm?standard__identification_no=44689

Devices sold on second-hand market retain sensitive data: https://www.regulatoryrapporteur.org/industry-news/devices-sold-on-second-hand-market-retain-sensitive-data/390.article