Cybersecurity Vigilance for Medical Devices

by | Mar 19, 2021 | Cybersecurity, FDA, Medical Devices, Quality, Regulatory

When I was working on a web application as a developer, I always noticed two small issues. The identified issues included data getting stored in the browser’s “session” storage and the display of the user ID in the location of the web page. To simply define session storage, it is the data stored inside the browser when a user logs in. Surely, while building applications or for testing, this is indeed a common practice where this session data gets referred multiple times. But in cases where critical data is getting saved in sessions such as a user or admin ID, it would be of major concern as session data is easily accessible by anyone. Truly, it is of major concern when the application is linked to a medical device such as a cardiac implant.

Such issues impact patient safety and manufacturers must implement certain strategies that test, identify, and mitigate all such issues. I found that the FDA along with the CDC has provided a couple of shrewd methodologies manufacturers or software engineers can implement to remain vigilant and protect their medical software systems. Initially, let me simply define what is Cybersecurity. The best definition as stated on Cisco’s web page is that it is a practice of securing systems (UI, services, databases, codebase) and networks from digital attacks.1 These activities are usually exhibited by unauthorized users, or ‘hackers’ as we commonly refer to them, to disrupt system functioning, hold ransom by locking systems and delete or change critical data to gain control. Considering the stated issues, we are going to discuss the five best ways to ensure that your system stays secure or protected against hackers.

One of the key roles of manufacturers is to immediately share information with users and patients in case of vulnerability identifications. Following such a strategy, other manufacturers can also learn that there might be a similar risk present in their system that has a similar intended use as to the medical device that was identified with vulnerabilities. The initial significant step here is to always look out for FDA guidance or news that provides the most recent updates relating to cybersecurity. The second step is to immediately report to the FDA when manufacturers identify anomalies to spread awareness regarding a specific cybersecurity adverse event.2

The next important step is to register the device with the manufacturer. Registration or automated connection promotes automated patches or updates. In other words, all the system components should be up to date for tackling the most recently released viruses or malware. If I have an old system that is not able to even recognize the virus, there is a high probability it might be compromised. This is the fourth step, that is, keep the software system always updated, either through manual updates or system-based automated updates which are published by the manufacturers themselves. 2

The last point is continuous real-time monitoring.3 A good practice which I also follow is to perform periodic data and system ‘health’ checkups. It ensures that the functioning of the software is as expected, and the data submitted or received (inputs and outputs) are clean and safe. Overall, always exchange information with the FDA for identified risks, keep track of the FDA’s most recent news on Cybersecurity, keep the manufacture’s registered system always updated, and implement methodologies such as automated data testing and logging for real-time data monitoring.

As mentioned, patient safety is a major priority, and manufacturers should thoroughly test and validate their system which ensures that the system is safe and effective. We have expertise in analyzing software applications and conducting a detailed risk assessment to identify any vulnerabilities present in the system. We specialize in software validation, which includes verifying if your medical device is integrated with an appropriate cybersecurity framework as accepted by the FDA. Do you have a software tool that needs Cybersecurity analysis, validation, or FDA-compliance? Our quality and software experts can get your software tool completely validated and guide you through the FDA regulatory process to ensure your Software As/In a Medical Device is FDA compliant. Contact us at 248-987-4497 or email us at info@emmainternational.com for more information.


1CISCO (2021). Retrieved on February 22, 2021 from https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html

2CDC (October 2020). #BeCyberSmart: 5 Ways to Protect Your Health Tech. Retrieved on February 22, 2021 from https://blogs.cdc.gov/publichealthmatters/2020/10/cybersecurity/.

3FDA (October 2020). Cybersecurity. Retrieved on February 22, 2021 from https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.

Govind Yatnalkar

Govind Yatnalkar

More Resources

Abbreviated 510k submission

Abbreviated 510k submission

There are three types of 510K, Premarket Notifications, which can be submitted to the Food and Drug Administration (FDA) traditional, abbreviated, and special. Abbreviated and Special 510K submissions can be utilized when the submissions meet the certain factors presented by the FDA. When submitting an abbreviated 510K the submission must include the elements that are identified in 21CFR 807.87 for the information required in a premarket notification submission.
Is your product a medical device?

Is your product a medical device?

Many marketed products are classified as medical devices and you would not even know it. Medical devices range from latex gloves and tongue depressors to respirators and heart valves. To determine if the product is considered a medical device by the Food and Drug Administration (FDA) you will need to analyze if your product meets the definition of a medical device per the Food, Drug, and Cosmetic Act1.
Sterilization of Medical Devices

Sterilization of Medical Devices

There are many ways to sterilize medical devices before use in the industry. The common methods utilized are steam, radiation, dry heat, ethylene oxide, and vaporized hydrogen peroxide. There are two methods of sterilization for medical devices recognized by the Food and Drug Administration (FDA), established and novel.

Ready to learn more about working with us?

Pin It on Pinterest

Share This