The enhancement in connected devices and IoT brings serious consideration of data privacy and security. In order to deal with the several IoT hazards regarding patients and their data, the FDA discharged some ground rules/guidance for directing IT security/cyber security medical devices.

The FDA proposal conveys that, the increase in the number of medical devices is needed to be networked in order to ease the patient’s care. Similar to other networked computer systems, this medical device’s associated software may be exposed to cyber security intimidation.

And the agency notes that, misdeed of these exposures is nothing but risk of safety and performance of medical devices. And it seeks steady maintenance of entire product life cycle give acceptable level of protection. Dedication handling of these risks, scale down the impact on patient’s safety and public health.

Before these proposed guidelines are finalized, stakeholders have 90 days time limit to check-in their comments to the FDA.

What people say?

  • Torsten George, the vice-president of global marketing congratulated FDA that this is the first time that somebody is defending the peril relating with IoT.
  • The agency is boosting the security rule for medical device makers said Lee Kim, the director of “privacy and security at the Healthcare Information and Management Systems Society”. “I think it contributes some guarantee for healthcare providers, in addition they should scan their networks” told.
  • Chris Wysopal, CTO of Veracode esteemed that the guidelines are notably important because healthcare IT is very consent-oriented. As he felt “If a administrative force have nothing to say, systems think they don’t have to do anything because they don’t go in a risk-based path, as financial service companies or manufacturers do when they try to safeguard their brand or intellectual property”.


  • Even though FDA has taken a good move against threats of cyber security, guidelines are only instructions on how to behave, so medical device makers could ignore them without worrying about punishment because there are no fines mentioned yet but they may set later.
  • Since there are so many medical devices out there so competition also could play a role in pushing device makers to obey with the guidelines.
  • George noted, the courts are functioning rigorously when it comes to cyber security. If someone is exploiting the rules and not taking up best practice, then courts are inclining towards consumers and end users while judging them. Also these guidelines can provide ingredients for probable legal actions against device makers.
  • Kim said that legal pressure can motivate medical device manufacturers to reinforce their security practices.

The report proposes that healthcare organizations should examine the medical devices which they use and acknowledge the dealers to liable for security cracks.  

The reports notes that many medical devices like, MRI scanners, X-ray machines and drug infusion pumps which are more exposed to hacking, so there is need to create significant precautions regarding health risks for patients.