• Regulatory NewsRegulatory News

    TGA Pushes for Total Product Lifecycle Approach to Medical Device Cybersecurity

    New draft guidance from Australia’s Therapeutic Goods Administration (TGA) encouraged use of regulatory policies that span total product lifecycles (TPLC) to ensure medical device cybersecurity. A “growing area of interest” for TGA relates to “a large number” of class II, class III and active implantable devices registered in Australia that contain “electronic components with embedded software, have a software accessory or are a software device,” the regulator noted in ...
  • Regulatory NewsRegulatory News

    Premarket Device Cybersecurity: Health Canada Issues Draft Guidance

     Health Canada posted a new draft guidance document on Friday to aid medical device manufacturers in complying with premarket cybersecurity requirements.   The move comes as more regulators seek to expand on considerations for the cybersecurity of medical devices as the health care sector became a prime target for cyberattacks amid an increasingly connected ecosystem.   The US Food and Drug Administration (FDA) issued premarket draft guidance for medical devices ...
  • Regulatory NewsRegulatory News

    Lawmaker Seeks Answers to OIG’s Findings on FDA’s Cybersecurity Policies

    A recent report from the Office of the Inspector General (OIG) “highlighted some very important issues” where the US Food and Drug Administration (FDA) “has room for improvement,” Sen. Chuck Grassley (R-IA) argued in a letter to FDA Commissioner Scott Gottlieb.   The 9 November letter from Grassley, chairman of the Senate Judiciary Committee, follows on the heels of the findings and recommendations OIG at the US Department of Health and Human Services outlined in a...
  • Regulatory NewsRegulatory News

    UL Wades into Cybersecurity of Connected Medical Devices

    Safety science firm UL is honing in on the cybersecurity of connected medical devices, suggesting a two-pronged approach that spans across the total product life cycles of devices and the healthcare ecosystem.   UL began wading into healthcare as it increasingly became a prime target for cyber attacks in recent years, Anura Fernando, UL chief innovation architect of medical systems interoperability and security, told Focus . Factors that drove its decision to join the...
  • Regulatory NewsRegulatory News

    HHS OIG Finds Flaws in FDA’s Postmarket Cybersecurity Procedures

    In a report released Thursday, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) says it found weaknesses in the US Food and Drug Administration’s (FDA) policies and procedures for handling postmarket medical device cybersecurity vulnerabilities.   With the proliferation of networked medical devices, both FDA and medical device makers have increased their focus on cybersecurity. In recent years, FDA has organized public workshops and ...
  • Regulatory NewsRegulatory News

    Cybersecurity: FDA Spells Out Updated Premarket Policies

    With its first guidance in the device space in FY 2019, the US Food and Drug Administration (FDA) unveiled an awaited draft guidance on Wednesday to clarify the agency’s cybersecurity expectations from a premarket perspective. The draft guidance is an update to 2014 premarket policies on cybersecurity and came as the ink was still wet on the memorandum of agreement (MOA) between FDA and the US Department of Homeland Security (DHS) for strengthening a coordinated approac...
  • Regulatory NewsRegulatory News

    Cybersecurity: CDRH to Update 2014 Premarket Policies

    Ahead of a new US Food and Drug Administration (FDA) draft guidance set to be released in FY 2019, lead of cybersecurity initiatives at the Center for Devices and Radiological Health (CDRH) Suzanne Schwartz previewed policy changes at RAPS’ 2018 Convergence.   The US healthcare industry has become a target for cyberattacks over the past few years and this has been partly linked to inadequate device designs, which must undergo regulatory premarket reviews to mitigate cy...
  • Regulatory NewsRegulatory News

    Experts Look For Lessons in FDA's Pacemaker Cybersecurity Recall

    In a paper in JAMA this week, two experts highlight lessons that could be learned from the US Food and Drug Administration's (FDA) first major cybersecurity-related recall for a permanent implantable medical device. Background In August, Abbott announced a voluntary recall of some 465,000 pacemakers to patch cybersecurity vulnerabilities that were first acknowledged by FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Resp...
  • Regulatory NewsRegulatory News

    Merck: Cyberattack Caused $135M in Lost Sales

    In its third quarter earnings report, US pharmaceutical company Merck said that manufacturing disruptions tied to a cyberattack last June led to $135 million in lost sales and caused the company to borrow from a US Centers for Disease Control's (CDC) strategic stockpile to meet demand for one of its vaccines. On 27 June, a cyberattack involving ransomware known as "Petya" or "NotPetya" infected government and business computer systems in Ukraine before spreading to other...
  • Regulatory NewsRegulatory News

    House Bill Calls for New FDA-Led Device Cybersecurity Panel

    Republican representatives David Trott (R-MI) and Susan Brooks (R-IN) last week introduced a bill calling for the US Food and Drug Administration (FDA) to lead a new public-private working group on medical device cybersecurity. The bill, known as the Internet of Medical Things Resilience Partnership Act , calls on FDA to set up a working group with representatives from other federal agencies, industry and academia to "develop recommendations for voluntary frameworks a...
  • Regulatory NewsRegulatory News

    Congress Sets Sights on Pharma Cybersecurity After Attack

    Leadership from the House Energy and Commerce (E&C) committee on Wednesday called on Merck CEO Ken Frazier and Department of Health and Human Services Secretary (HHS) Tom Price to brief Congress on the impact of a recent cyberattack on the healthcare sector. Background On 27 June, a cyberattack involving ransomware known as "Petya" or "NotPetya" infected government and business computer systems in Ukraine before spreading to other corporate networks around the world. M...
  • Regulatory NewsRegulatory News

    DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps

    The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) on Thursday issued an advisory detailing eight cybersecurity vulnerabilities found in Smiths Medical's Medfusion 4000 wireless infusion pumps. The vulnerabilities, identified by cybersecurity researcher Scott Gayou, range in severity from low severity to critical on the Common Vulnerability Scoring System (CVSS V3), and according to ICS-CERT, could be exploited r...