US/EU: Safety in the Case of Networked Medical Devices

The US Food & Drug Administration (FDA) has published a guideline on cybersecurity in the case of active medical devices. The FDA considers guidelines and standards to be of particular importance in this area, as more and more medical devices are networked or software-supported. We have taken the publication of these guidelines as an opportunity to shed some light on aspects of data privacy in this area.

The classic example of the need for cybersecurity in the field of active medical devices is the pacemaker. For patients who do not have a pulse of their own, attacks on these products could, in a worst case scenario, have a fatal outcome. However, the same applies to implants or devices that deliver drugs (morphine, insulin, etc.) in a program-controlled manner. Due to the high risks, the FDA recommends that the manufacturers follow the guidelines for development and operation in accordance with the provisions of the National Institute of Standards and Technology (NIST) in order to improve the safety of critical infrastructures.

Europe has Directive 90/385, which concerns the harmonization of the laws of the Member States relating to active, implantable medical devices and which, inter alia, stipulates that proper functioning of the control programming and monitoring systems, including software, must be ensured. In Germany, for example, the MDS points to risks in this area.

Medical device manufacturers walk a narrow line between patient- and maintenance-friendliness and the creation of security gaps because methods and procedures for both networking and the remote maintenance of devices are generally expected to increase risks. Where data, such as raw data from medical devices, is transmitted via remote communication lines, there is also the risk that such data will be intercepted. Another interesting question is whether, and how, weak points and problems that arise at a later point in time can be eliminated without the device having to be exchanged, and therefore explanted.

The FDA guideline on the development of appropriate procedures and safety precautions can help data protection officers in this industry, as well as manufacturers and developers of such medical devices. In this case, however, the question may also be raised as to whether a connection to networks is really absolutely necessary for the functionality of the product. At the end of the day, such functionalities also mean, for example, a shorter battery life for implanted devices.

Further informationen:

Photo: © Tatjana Balzer - Fotolia

Rating: 5 (1)

© 2012 - 2019 |  2B Advice LLC - the privacy benchmark
7220 Avenida Encinas Ste 208 | Carlsbad | CA | 92011 | Phone: +1 (858) 366-9750 | Fax: +1 (212) 898 1248 | Email:
The pages do not contain any legal advice | No responsibility for the accuracy of the information. Please also notice: Privacy Notice | Legals

2B Advice GmbH Italy
2B Advice GmbH Germany | 2B Advice s.r.o. Slovakia United States of America | Slovakia | Germany | San Diego | Bonn | Berlin | Munich | Brezno | Verona