This content is part of the Essential Guide: Guide to healthcare compliance resources and agencies
Manage Learn to apply best practices and optimize your operations.

Understanding FDA guidance on medical device cybersecurity

Medical device security is a growing concern. Expert Mike Villegas shares how to make sense of the new FDA cybersecurity guidelines for medical device manufacturers.

On Oct. 24, 2014, Reuters reported the U.S. Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers. These include an infusion pump and implantable heart devices. Not only is this a danger to human life, which is the most critical risk, but also it undermines the integrity and safety of these devices.

The FDA issued Content of Premarket Submissions for Management of Cybersecurity in Medical Devices on Oct. 2, 2014, that provides guidance for medical device manufacturers on cybersecurity functions to strengthen the security of such devices from hacker exploitation. The guidance stresses that these are strictly recommendations and not requirements, but in reviewing the functions, they appear sound and practical for any medical device manufacturer and its networks.

There are two types of premarket submissions:

A balance between ease of access and strong cybersecurity controls needs to be in place.
  • A premarket notification, or 510(k), is submitted to the FDA before a manufacturer proposes to market a medical device.
  • A premarket approval (PMA) is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices. Under federal law, Class III devices are subject to approval of a Premarket Approval Application. Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.

The FDA classifies medical devices into three classes:

  • Class I devices are subject only to general controls. They typically present the lowest potential for harm. Examples of Class I devices include elastic bandages, examination gloves and hand-held surgical instruments.
  • Class II devices are those for which general controls alone are insufficient to provide a reasonable assurance of safety and effectiveness. Examples of Class II devices include powered wheelchairs, infusion pumps and surgical drapes.
  • Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Examples of Class III devices include replacement heart valves, silicone gel-filled breast implants and implanted cerebellar stimulators.

What does this mean for manufacturers and hospitals? It means that, especially for Class III life support and life-threatening medical devices, the cybersecurity controls listed should at a minimum be deployed.


Manufacturers need to ensure these devices have a 501(k) or PMA approval depending on its classification. Class III devices must be designed with strict security measures for identification, authentication, monitoring, authorization and integrity checks to ensure a stratagem of controls for surreptitious attacks. Security and failure-free devices are not absolute, but the goal is to maximize fault tolerance and cybersecurity. In particular, manufacturers should focus on medical devices that connect via wireless or hard-wire to another device, to the Internet, other networks, or to portable media such as a USB or CD. These are the most vulnerable to cybersecurity threats.

A point emphasized in the FDA guidance is that security controls should not unreasonably hinder access to a device, especially in an emergency situation. This means a balance between ease-of-access and strong cybersecurity controls needs to be in place.


Hospitals and other medical service centers need to ensure devices purchased provide documented assertions that they have undergone strict empirical cybersecurity testing and possibly independent review. Without these assertions, medical organizations should rethink whether they should purchase these devices or consider another vendor option.

After deciding on a short list of medical devices to choose from, hospitals need to take a pragmatic view of cybersecurity before making the final selection. They should ask the following: Does this device…

  • Have a current and approved PMA issued by the FDA?
  • Require user authentication such as ID and password, smartcard or biometrics, such as fingerprint scanning?
  • Have a session timeout feature after a predetermined period of time?
  • Use role-based access controls to grant privilege levels such as caregiver, physician or system administrator?
  • Use strong encryption such as WPA-2 for wireless connections?
  • Provide multifactor authentication to permit privileged device access?
  • Use strong password syntax rules to mitigate the risk of being compromised? For example, minimum password length, alphanumeric, passwords different on each device, encryption, etc.
  • Provide physical locks for the device itself and any communication ports to minimize tampering?
  • Provide current antimalware/antivirus software for protection during external connectivity including software or firmware updates?

This guidance, in addition to recommended cybersecurity controls for medical devices, also refers to other guidance documents related to Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices and Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.


The FDA defines the "Level of Concern" as an estimate of the severity of injury that a device could permit or inflict, either directly or indirectly, on a patient or operator as a result of device failures, design flaws, or simply by virtue of employing the device for its intended use. Strict review of Class III devices is critical. Ensure all classes, in particular Class III, have a 501(k) or PMA approval. Protection acumen for these devices can never be overstated.

About the author:
Miguel (Mike) O. Villegas is Vice President for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.

Next Steps

Check out the top ten ways to improve medical device security

The most popular mobile healthcare apps offer ubiquity and security

This was last published in February 2015

Dig Deeper on Information security policies, procedures and guidelines