Postmarket Cybersecurity – When the product is on the market

Standard Post
Goran Madzar

06/08/2021

Standards, Security, software

A product has been successfully approved and is on the market. Can cybersecurity activities now be discontinued? Of course, that's not possible. Cybersecurity risks arise continuously, and it's not possible to identify and address all vulnerabilities in advance. Therefore, cybersecurity must be viewed as a process that must be continuously maintained, hand in hand with risk management. Failure to maintain cybersecurity leads to the following threats:

  • Impairment of device functionality
  • Loss of availability
  • Loss of integrity of (medical or personal) data
  • Compromise other connected devices or networks due to security threats

And this, in turn, can lead to injuries and even death in medical devices.

What should one do specifically?

The attached list is intended to provide guidance on which activities should be performed regularly. These activities should be planned accordingly within one or more processes.

  • Regularly check cybersecurity vulnerability and risk databases for new vulnerabilities.
  • Check the SOUP and OTS software error lists regularly.
  • Ensure good cybersecurity hygiene and further minimize acceptable risks.
  • Provide software patches and updates to quickly close vulnerabilities.
  • Thoroughly verify and validate all software changes, patches, and updates.
  • Review market feedback on cybersecurity attacks and events. This also applies to products from other manufacturers.
  • Conduct penetration tests regularly or have them carried out by external companies.
  • Regularly update accompanying information such as the instructions for use and inform the customer of vulnerabilities and provide guidance so that the customer can take appropriate steps to mitigate risks and make informed decisions regarding device use.
  • Check devices on the market for cybersecurity incidents (e.g., logging access attempts with false credentials or evaluating DoS attacks).
  • When vulnerabilities are identified, promptly inform customers and take action to address risks while the vulnerability exists.
  • Regularly review cybersecurity risk management. See also the article AAMI TIR57 – Cybersecurity Risk Management for Medical Devices.

What should be reported to the FDA?

Device manufacturers are required by 21 CFR part 806 to notify the FDA of changes and corrections. However, the FDA points out that changes that are solely intended to improve cybersecurity are not reportable. if the following circumstances are met:

  1. There are no known serious adverse events or deaths related to the vulnerability;
  2. The manufacturer will communicate as soon as possible, but no later than 30 days After the vulnerability becomes known, the manufacturer communicates with its customers and users about the vulnerability, identifies interim mitigating measures, and develops a remediation plan to reduce the residual risk to an acceptable level. The controls should not pose a greater risk to the security and essential performance of the device than the original vulnerability. The manufacturer must document the time-based justification for its remediation plan. Communication with the customer should include, at a minimum, the following:
    a. Description of the vulnerability, including an impact assessment based on the manufacturer’s current knowledge,
    b. Declaration by the manufacturer to make efforts to eliminate the risk of patient harm as soon as possible,
    c. Description of compensating measures, if any, and
    d. Indication that the manufacturer is working on it and will inform about the availability of a solution in the future.
  3. As soon as possible, but no later than 60 days After the vulnerability is identified, the manufacturer fixes the vulnerability, validates the change, and distributes the ready-to-use fix to its customers and the user community, reducing the residual risk to an acceptable level. Under certain circumstances, a compensating measure could provide a long-term solution, provided the risk of patient harm is reduced to an acceptable level. The measures should not pose a greater risk to the safety and essential performance of the product than the original vulnerability. Furthermore, the manufacturer should follow up with end users beyond the initial 60-day period if necessary.
  4. The manufacturer actively participates as a member of an ISAO (Information Sharing and Analysis Organization) that shares vulnerabilities and threats affecting medical devices, such as NH-ISAC, and makes all communications available to the ISAO after notifying its customers;

All manufacturers should be aware of the relatively short response times. Often, the development team is working on other products, and it's quite a challenge to find a solution and complete all activities in such a short time. Many manufacturers are also not members of an ISAO, which ultimately makes notification to the FDA necessary.

Cybersecurity Examples

Examples are the best way to understand these often abstract issues. I've included two here to help you better understand what a concrete cybersecurity attack might be and how to proceed. Of course, it's also worth taking a look at the FDA guidance itself.

1) Malware on a gas blood analyzer

A device manufacturer receives customer feedback that a gas blood analyzer has been infected with malware and there is concern that the malware could alter the data on the device. The manufacturer examines the device and confirms the presence of malware. However, the data was not tampered with, and the security and essential performance characteristics of the device were not affected by the malware. Risk management therefore determines that the risk is acceptable. The device manufacturer informs users how to remove the malware and subsequently provides a patch to address the vulnerability. The customer provides all relevant data to ISAO. No notification to the FDA under 21 CFR part 806 is required.

2) Defibrillator

A manufacturer is alerted by a researcher to a vulnerability that could allow its Class III defibrillator to be reprogrammed by an unauthorized user. If exploited, this vulnerability could result in permanent disability, life-threatening injury, or death. The manufacturer is unaware that the vulnerability has been exploited and determines that the vulnerability is related to a hard-coded password. The risk assessment concludes that the exploitability of the vulnerability is moderate and the risk of patient harm is uncontrolled. The manufacturer notifies appropriate stakeholders and distributes a validated emergency patch within 60 days. The manufacturer is not actively participating as a member of an ISAO and is therefore reporting this action to the FDA in accordance with 21 CFR 806.10.

Further examples can be found in the FDA's Postmarket Management of Cybersecurity in Medical Devices Guidance.

Conclusion

It's extremely sensible to review your own market surveillance processes to ensure they're suitable for the specifics of cybersecurity. Especially in cybersecurity, vulnerabilities can become known at short notice, requiring rapid remediation. Furthermore, there are certain specifics regarding reporting deadlines and measures to be observed. Should an incident occur, there's already enough to do. Then you shouldn't have to start laboriously familiarizing yourself with the subject of cybersecurity.

If you have any questions about cybersecurity in the field of medical technology, I look forward to hearing from you.

Best regards

Goran Madzar

Standard Post

Written by Goran Madzar

A passionate MEDtech engineer! My team and I provide engineering services to medical technology manufacturers to help them develop and market their products! Feel free to contact me via LinkedIn or email. I look forward to meeting you.

 Previous article
Next article

More articles

  • 26/11/2025
  • General, Hardware, Standards, Quality, Testing

What does EMC mean for medical devices in practice?

Why EMC testing is vital in medical technology: Imagine a patient is lying in the hospital during critical monitoring. Suddenly, a visitor's smartphone rings – and the monitoring device... ...

Read more
  • 09/09/2025
  • General, Software

Embedded Software: Everything has an end – Timeouts

In previous blog posts, I have introduced two essential components of a simple and universally applicable software architecture: events with dispatchers, listeners, and data pools. These already allow for many simple use cases ...

Read more
  • 13/03/2025
  • General, Business

New CTO at MEDtech Ingenieur – Welcome Daniel Saffer

MEDtech Ingenieur strengthens its management team: Daniel Saffer has taken on the role of Chief Technical Officer (CTO) since March 2025. With his many years of experience in the development of safety-critical embedded software solutions for the ...

Read more
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.