The FDA has released new guidance on information security practices for medical devices. Many hospital’s information security staff are left to battle medical device vendors on their poor (or often non-existent) practices in maintaining software security patches and updates, and can refuse to support the device if these patches are applied by the hospital IT staff. One of the items these vendors can claim is the need to involve a 510K re-certification after any security updates are applied. The clear answer from the FDA is that security patches do not need to go through this re-certification unless there is an atypical circumstance in which this change would be expected to have a potential to effect patient life safety.
The FDA’s guidance from 2009 additionally fails to explicitly assign responsible parties, leaving the vendors room to debate the issue into submission. The guidance released yesterday resolves many of these loopholes and reminds health care facilities that unaddressed non-compliance in a vendors security practice should be reported to the FDA’s Medical Device Reporting (MDR) program.