The FDA’s New Medical Device Development Tools (MDDT) Program

Blog Post by Jonathan Elmer, Senior Associate at Meditology Services

The US Food and Drug Administration (FDA) announced a new Medical Device Development Tools (MDDT) program on October 20, 2020.[1] The MDDT includes information security evaluation criteria for assigning risk ratings to medical device security vulnerabilities.

This blog post provides a summary of the FDA’s MDDT program and its applicability for supporting medical device security programs for healthcare delivery organizations.

The FDA announced that the MDDT is a “way for the FDA to qualify tools that medical device sponsors can use in the development and evaluation of medical devices.”[2]

Included in the MDDT tool is a rubric for applying CVSS vulnerability ratings to Medical Devices The rubric includes a series of questions at various decision points to determine vulnerability ratings.

This framework is designed to help manufactures prioritize remediation for weaknesses that may pose a threat to patient safety. This is a departure from standard security vulnerability rating process which looks at devices from an IT-standpoint and lacks the context of medical care and treatment. The tool helps highlight and prioritize security vulnerabilities, but healthcare organizations must still overcome the dauting challenge of patching and remediating known vulnerabilities in new and legacy medical devices.

The framework recommends a multi-disciplinary team to work on assigning the CVSS scores including:

  • Cybersecurity and privacy
  • Device engineering, design, and architecture
  • Patient health impact from resulting hazards
  • HDO device usage scenarios and clinical workflow impact
  • Information technology integration and interoperability

The vulnerability management support provided in the MDDT is a step in the right direction to continuing to mature medical device security models. It provides some much-needed context and consistency to medical device security vulnerability ratings. However, this new tool adds another piece of the puzzle to an already crowded set of disparate medical device security guidance and standards from both public and private sources.

We issued a separate blog entry that outlines the various standards and toolsets available on the market in our related publication, Navigating the Library of Medical Device Security Standards.

Vulnerability management is only one aspect of a comprehensive medical device security program that incorporates the people, processes, and technology required to safeguard patient safety related to medical device security weaknesses. We have worked with leading health systems to design and implement medical device security programs that consider the following criteria:

  • Medical device security governance and communication
  • Asset management & discovery
  • Virus and malware protection
  • Vulnerability management and patching
  • Technical security configurations
  • Access controls
  • Third party validation and vendor risk management
  • Workforce training
  • Network protection and isolation

Meditology is a top-ranked healthcare security and privacy firm servicing healthcare entities of all shapes and sizes. We were designated the #1 Best in KLAS firm for 2019 and 2020 for healthcare cybersecurity advisory services.

We have extensive experience building and implementing medical device security programs at leading health systems across the country. We have also advised the federal government on medical device security and ethical hacking matters.

Contact us to learn more about how we can help you with your medical device security program needs.



Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More