Cybersecurity features of digital medical devices: an analysis of FDA product summaries.

Abstract

ObjectivesTo more clearly define the landscape of digital medical devices subject to US Food and Drug Administration (FDA) oversight, this analysis leverages publicly available regulatory documents to characterise the prevalence and trends of software and cybersecurity features in regulated medical devices.DesignWe analysed data from publicly available FDA product summaries to understand the frequency and recent time trends of inclusion of software and cybersecurity content in publicly available product information.SettingThe full set of regulated medical devices, approved over the years 2002–2016 included in the FDA’s 510(k) and premarket approval databases.Primary and secondary outcome measuresThe primary outcome was the share of devices containing software that included cybersecurity content in their product summaries. Secondary outcomes were differences in these shares (a) over time and (b) across regulatory areas.ResultsAmong regulated devices, 13.79% were identified as including software. Among these products, only 2.13% had product summaries that included cybersecurity content over the period studied. The overall share of devices including cybersecurity content was higher in recent years, growing from an average of 1.4% in the first decade of our sample to 5.5% in 2015 and 2016, the most recent years included. The share of devices including cybersecurity content also varied across regulatory areas from a low of 0% to a high of 22.2%.ConclusionsTo ensure the safest possible healthcare delivery environment for patients and hospitals, regulators and manufacturers should work together to make the software and cybersecurity content of new medical devices more easily accessible.