The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.¹

Two of the primary FDA guidance documents are: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and Postmarket Management of Cybersecurity in Medical Devices. The Premarket guidance was issued on October 2, 2014 (new draft version available since October 2018) and the Postmarket guidance was issued on December 28, 2016. Both documents emphasize the need for manufacturers to take a risk-based approach to:

1. The Cybersecurity of the medical devices themselves.
2. The network(s) they may be designed to integrate with.
3. The impact on other devices which they may interface with.
4. The intended use environment the device will operate in.

Cybersecurity is a dynamic topic that continues to evolve as more medical devices are connected to Electronic Medical Record (EMR) systems as part of their product requirements.

The FDA recognizes “AAMI TIR57:2016 Principles For Medical Device Security – Risk Management” as a consensus standard. This risk-based approach is nearly identical to the approach that is used for assessing the safety risks of a medical device that is familiar to designers/manufacturers using the consensus standard “ANSI/AAMI/ISO 14971:2007/(R)2010 Medical Devices – Applications of Risk Management To Medical Devices”.

This presentation will provide an overview of the FDA guidance documents along with an actual use case that leverages TIR57 which will give the audience an idea of the process used to fulfill the objectives of those guidance documents.  A Q&A session will follow the presentation.

Key Takeaways:

• Identify the information that the FDA will be looking for from the medical device manufacturers.
• Gain a sense of the FDA-accepted approach for assessing the Cybersecurity of a given medical device.
• Understand the relationship of medical device security to patient safety.
• Establish contact points for further information: documentation/standards, involvement in user groups (ISAOs), mailing lists, and websites.

Course Fee: $45 per person. Non-refundable but transferable within company.

Larry Marko

Mr. Marko is a Software Program Manager at Design Solutions. Mr. Marko has 34 years of product development experience work on software systems. This experience includes software design and software management for medical, military, commercial, aerospace, and industrial control industries. His areas of expertise are in project management, software management, and embedded software design. In addition, Mr. Marko specializes in software development in compliance with IEC 62304 Medical Device Software – Software Life Cycle Processes.