The Food and Drug Administration (FDA) has published a discussion paper dedicate to the cybersecurity vulnerabilities associated with medical devices. In particular, the document describes the best practices to be considered when communicating with the healthcare professionals and patients about the potential risks associated with cybersecurity issues and outlines the way the information about cybersecurity threats and vulnerabilities should be provided to the patients and customers using medical devices.


The FDA additionally emphasizes that the document is not intended to inform the industry representatives about the current position of the authority regarding the desired regulatory approach. By virtue of the document, the Agency is going to collect additional information and opinions to be considered when developing a new framework intended to address cybersecurity issues related to medical devices. 

Regulatory Background

The present FDA communication paper is dedicated to medical devices requiring to be connected to the Internet or local network of any kind in order to operate in a normal way when being used for the intended purpose. Thus, the scope of the document covers various medical devices from wearables to implantable medical devices. According to the information available to the Agency, the significant increase in the use of such devices is also associated with the respective increase in cybersecurity vulnerabilities, and the authority intends to develop and implement the measures necessary to mitigate such risks to the lowest extent possible. In this regard, the effectiveness of communications between all the parties involved in operations with medical devices becomes especially important since it allows to ensure the exchange of vitally important information about identified cybersecurity vulnerabilities and threats without undue delay. The FDA itself also takes the appropriate steps to make such information available to the public as soon as it is reasonably possible in order to ensure the safety of the patients using affected medical devices. 

The document also contains the recommendations developed by the Patient Engagement Advisory Committee (PEAC), an FDA body focused on the scientific issues related to medical devices, and also on the use of medical devices by the patients. The Committee takes part in creating new approaches to communicating important safety-related information to the patients. Nowadays cybersecurity vulnerabilities associated with medical devices constitute the key priorities of the Committee. 

By issuing the present document, the Agency expects to get feedback from industry representatives, clinical researchers, patients, and other parties involved in operations with medical devices. The comments and suggestions received by the FDA would be later used to improve future cybersecurity safety communications. In particular, the would be used to form a basis of a new cybersecurity communications framework.

Cybersecurity Consultation Scope 

According to the FDA, the scope of the present consultation on cybersecurity vulnerabilities associated with medical devices covers, inter alia, the following questions: 

  1. Whether the particular elements determined by the Agency in the context of cybersecurity communication framework are the most appropriate and relevant.
  2. Whether there are some elements that are still missing or ones that could be clarified or improved.

The document also describes in detail the particular elements highlighted by the FDA, namely:

  • Interpretability. The communication on cybersecurity vulnerabilities should be clear and understandable for the patients and customers. The Agency emphasizes such important characteristics of safety-related communications as timeliness, relevance, simplicity, and readability. When issuing a communication, it is important to consider the particular audience it is addressed to.
  • Discussion of risk and benefits. In certain cases, it is unclear whether the identified cybersecurity vulnerabilities or threats could result in actual adverse events or incidents, so the Committee recommends a “balanced discussion between risk and benefits, highlighting the benefits especially if it is a lifesaving device”. The main idea is to provide the patients and healthcare professionals using the device with the sufficient information necessary to evaluate the options available and make the appropriate decision. 
  • Acknowledge and Explain the Unknown. All gaps in the information or knowledge related to safety communication should be highlighted to avoid misunderstanding and confusion. In accordance with this principle, the patients and healthcare professionals should clearly understand the part that still remains unknown and unclear to be able to make decisions and act accordingly. For instance, if the particular ways the identified cybersecurity vulnerability could be used by third parties, it should be explicitly stated that the potential consequences are unknown, but the risk still exists. 
  • Availability and findability. The information on cybersecurity vulnerabilities and risks associated thereto should be easily accessible by healthcare professionals and patients. It should be also stored in a structured way making it easy to find it via an online search. In particular, the Agency encourages the use of best practices in the sphere of search engine optimization, e.g. inclusion of the names of the device in question and its manufacturer, and important keywords to the content to simplify searching for it. It is also recommended to include the name of a medical device and the cybersecurity vulnerability in the title of the safety-related communication to simplify the identification. 
  • Mobile-friendly format. According to recent researches, smartphones are being more and more actively used when accessing the Internet. Hence, the safety-related information on cybersecurity vulnerabilities related to medical devices should be presented in a format compatible with mobile devices, including the use of sub-headers, brief paragraphs, and plain language. Moreover, it becomes especially important since search engines usually rank mobile-friendly content higher.

Safety Communications: Key Aspects

Another important question addressed by the FDA discussion paper relates to the structure of communication. In particular, the Agency encourages the use of internal structure and hierarchy to simplify access and search. The most attention should be paid to the main message, and also the recommendations important for healthcare professionals and patients. It is also recommended to place the most important safety-related information at the top of the communication and make it shorter. The core information should cover such aspects as related diseases or affected medical devices. Other approaches to be used also include the visual cues (e.g. tables, italics, and bolded text) to draw the attention of the person reading the information. The information should be grouped in accordance with the matters it covers. 

The document also describes the potential approach to the outreach methods and distribution vehicles to be used to ensure that the information on cybersecurity vulnerabilities would be effectively communicated to the wide range of healthcare professionals and patients it is relevant for. According to the document, it is necessary to develop and execute the outreach plan, which should cover such aspects as the target audience, key messages, and distribution vehicles to be used. 

Summarizing the information provided here above, the FDA discussion paper on cybersecurity vulnerabilities associated with medical devices highlights the most important questions on safety-related communications containing the most important information to be considered by healthcare professionals and patients to ensure the use of medical devices requiring to be connected to the network in a safe and efficient way.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.