Medical Device Cybersecurity: New FDA Guidance Underscores Threat


    Like companies in most other industries, life sciences companies are not immune to cyber-attacks. Cybercriminals continue to target medical device, pharmaceutical, and biotech companies. These threats pose potential risks to patient safety and public health.
    Emphasizing the reality of cyber vulnerabilities, in January 2016, the Food and Drug Administration (FDA) issued draft guidance to inform the industry of recommendations on how to manage the post-market vulnerabilities of medical devices. The guidance urges medical device manufacturers to address cybersecurity throughout the life cycle of a product – from design and development, to deployment and maintenance of the device.


    A growing number of medical devices are networked to facilitate patient care. The software used to enable their functionality may be vulnerable to cybersecurity threats. As stated in the draft guidance, ensuring adequate protection against potential exploits is crucial and requires continual maintenance throughout the life cycle of a product. The FDA outlines the following recommendations for a proactive approach to mitigating cyber breaches in the postmarket phase for medical devices:
    • Engage in cybersecurity information sharing and monitoring within the medical device community
    • Promote routine device cyber maintenance
    • Assess post-market information
    • Employ a risk-based approach to characterizing vulnerabilities
    • Ensure timely implementation of necessary actions to mitigate emerging cybersecurity risks

    What Does CohnReznick Think?

    Medical device manufacturers are at the nexus of where science and technology intersect, bringing to life leading-edge innovations in patient care. Technology has enabled stunning advancements in the field of medicine, but as the use of technology increases so do the associated vulnerabilities. As the FDA points out, failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death. It is therefore imperative that medical device manufacturers keep cybersecurity top-of-mind throughout the entire life cycle of a device — from conception to obsolescence. 
    The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, which the FDA recommends in the guidance, provides a road map for developing a comprehensive cybersecurity risk management program. Clients in several industries have incorporated elements of the NIST Framework into their cybersecurity programs to strengthen their cyber risk mitigation strategies with positive results.


    For more information on the recent FDA guidelines, please contact Jim Ambrosini, Managing Director, CohnReznick Advisory, at 973-618-6251 or, or Alex Castelli, Partner and Life Sciences Industry Practice Leader, at 703-744-6708 or

    This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.