Insights/Case studies/Newsroom/CareersCareersCareersPartnersConsultantsTechnology innovationCorporateEarly careersSearch Jobs/About us/Contact us Global locations

  • Phone
  • Contact us
  • Locations
  • Search
  • Menu


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Email this article

“Risk managers must intergrate the management of cybersecurity risk into their established processes." CHRIS MORGAN, EXPERT IN REGULATORY-DRIVEN PRODUCT INNOVATION ,  PA CONSULTING GROUP

Cybersecurity Risk in Medical Devices –  does your risk management documentation meet latest FDA requirements?

June 2013 FDA guidance on the ‘Content of premarket submissions for management of cybersecurity in medical devices’ requires medical device manufacturers to produce evidence that their ISO 14971 risk management process considered information security risks to the medical device, and addressed those risks with appropriate security controls as part of the device’s design.  

The regulatory landscape for cybersecurity risk management in networked medical devices has developed rapidly and for many manufacturers the key challenges are:  

  • how to understand cybersecurity in the context of their medical devices

  • how to integrate the management of cybersecurity risk into their established ISO14971 risk management processes?

Networked medical devices and other mobile health technologies have the potential to play a transformational role in healthcare yet they may also expose patients and health care organisations to safety and security risks.

Among the unintended consequences of increasing networked connectivity in medical devices and healthcare systems are the risks of being hacked, being infected with malware, and being vulnerable to unauthorized access.

While such scenarios may seem far-fetched, actual reported incidents and compelling FDA recalls data are highlighting very real problems for networked medical devices. Known vulnerabilities and the potential for intentional threats have culminated in the need to regulate cybersecurity risk management in such devices.

For the experienced medical device risk manager, a first key to understanding cybersecurity in the medical device context is to get to grips with the comparative terminology.

Whereas in ISO14971, hazards act through sequences of events to create hazardous situations with potential for injury or damage. In ISO27005, threats utilise vulnerabilities of information assets and may result in exploits that compromise systems or data leading to risks (potential harms).

The way forward to integrating management of cybersecurity risk is more obvious with recognition that the definition of HARM as managed through ISO14971 is extended to ‘physical injury or damage to the health of people, or damage to property or the environment or reduction in EFFECTIVENESS, or breach of DATA AND SYSTEM SECURITY.’

ISO 14971 risk management is a critical binding process in medical device development. It has long been established for most manufacturers that an integrated approach  is essential across the device lifecycle and across ever more diverse device technologies, with management of cybersecurity risk the latest addition. 

PA Consulting Group continues to lead in product compliance management and medical device design, and understands the true impacts of regulatory change.

To find out more about PA's medical device design and compliance related services, please contact us now.

Mark Humphries
Product development and manufacturing
contact us now

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.