State officials are urging hospitals to review device cybersecurity risks and align policies with FDA guidance.
The Texas Health and Human Services Commission is directing healthcare facilities across the state to review and align with US Food and Drug Administration cybersecurity guidance for medical devices, citing risks tied to networked and remotely accessible equipment.
The notice applies to hospitals, acute care facilities, and long-term care facilities, and outlines steps organizations should take to assess and mitigate cybersecurity risks associated with medical devices.
According to the agency, facilities should review applicable FDA guidance for devices in use and align internal policies and procedures—including procurement, maintenance, and decommissioning processes—with those recommendations. The notice also calls for evaluating devices with network or remote access capabilities for potential vulnerabilities and coordinating with manufacturers, vendors, and internal IT and security teams to address risks.
The directive, issued March 26, follows prior FDA communication identifying cybersecurity vulnerabilities in certain patient monitors, including the Contec CMS8000 and Epsimed MN-120. The vulnerabilities could expose patient data and affect device performance, prompting FDA recommendations for software patches and limiting device functionality to local use.
Medical devices that incorporate software, wireless communication, or network connectivity may introduce cybersecurity risks affecting both patient safety and data integrity, the agency notes. Recommended mitigation steps include identifying and managing vulnerabilities, applying security patches, implementing safeguards and controls, and maintaining ongoing risk assessment and incident response planning.
Failure to address these risks could lead to unauthorized access, disruption of clinical services, compromised patient data, and potential impacts on patient safety, according to the notice.
The agency says the guidance should be shared across clinical engineering, biomedical services, IT, compliance, and executive leadership teams.
ID 331603176 © Waingro | Dreamstime.com
