Risk Management

FDA considers the stakeholders for medical IoT devices to include the medical device manufacturers, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provide products that are not regulated by the FDA.

Mitigating cybersecurity threats to the user of the devices and to the operation of the device is one of the key concerns. Collaboration among its regulated stakeholders to alleviate concern for these cybersecurity threats is encouraged. To further improve risk management, the manufacturers of these IoT devices are encouraged to use the draft version of Cybersecurity Practice Guide, NIST SP 1800-15 when building the devices. The collaborative risk management approach strives to a consistent assessment and approach to the disruption of cybersecurity threats to device operations and users.

Standards and guidelines specifically for designing and securing IoT devices and platforms are still in an early state of evolution. Any IoT platform that qualifies as a CMS Processing Environment (please refer to definition in TRA Foundation, Processing Environments)must comply with the CMS TRA, ARS, RMH, and all HHS and CMS security and privacy requirements.