Virta Labs Blog


FDA Postmarket Cybersecurity Guidance Respects Clinical Workflow

Posted by Michael Holt on Apr 26, 2016 11:28:56 AM

Last week, the Food and Drug Adminstration (FDA) closed the public comment period on the draft guidelines for Postmarket Management of Cybersecurity in Medical Devices.

In our decade of experience in healthcare security, we've noticed that the most effective information security tools do not disturb clinical workflow.  That's why we are pleased to see that FDA's draft guidance not only respects clinical workflow, but also makes crisp, actionable recommendations to manufacturers so that Healthcare Delivery Organizations (HDOs) can get back to their core mission of healthcare delivery.  Here's the comment we submitted to FDA; see below for an explanation.


Our comments focus on safe vulnerability scanning and risk management.  Why?  Our customer base of HDOs, more than any other industry, constantly struggles with asset and vulnerability management, and safe vulnerability scanning is an important ingredient of a successful solution.

  • Even small HDOs have thousands of devices that need to be monitored.
  • Some devices move between rooms and networks.
  • Some devices are powered on & connected only at certain times.
  • Some devices touch electronic health records.
  • Some devices depend on antique operating systems far outside extended support.
  • Some crash against vulnerability scanners.
  • Some have vulnerabilities that the vendor should have patched years ago.

To minimize the risks of malware (including ransomware), HDOs need sharp tools that give them constant visibility into their complex networks. That's why we've built BlueFlow™ to help IT and clinical engineering address medical device vulnerabilities.

We're excited to see other healthcare security leaders submitting comments:

Virta Labs is developing healthcare-friendly tools that reduce malware risks.  To learn more about how Virta Labs can help your organization with postmarket monitoring of cybersecurity risk in medical devices, please request more information at

Topics: FDA, Healthcare Cybersecurity, Ransomware, Medical Device Security, Clinical Security, Clinical Information Systems, Medical Device ePHI