The former top US Food and Drug Administration (FDA) cybersecurity expert says it’s only a matter of time before disaster strikes in the form of a medical device exploit that could harm patients. To get ahead of the problem, he said the agency needs to hire dedicated cybersecurity staff.   For the past year and a half, Kevin Fu, a cybersecurity professor from the University of Michigan, has been on loan to FDA as the acting director of medical device cybersecurity at t...

At what point does manipulation or repair of a medical device cross the line from “servicing” to “remanufacturing?” A new draft guidance from the US Food and Drug Administration (FDA) provides a set of considerations to aid in determining into which category actions performed on devices should fall.   The new draft guidance “helps clarify whether activities performed on devices are likely remanufacturing,” wrote FDA’s Center for Devices and Radiological Health (CDRH) i...

In a scant notice posted to its website on Wednesday, the European Medicines Agency (EMA) divulged that it has been hit by a cyberattack. While the agency did not reveal any details about the extent of the attack, German vaccine developer BioNTech issued a statement saying that documents related its COVID-19 vaccine developed in partnership with Pfizer were “unlawfully accessed.” “It is important to note that no BioNTech or Pfizer systems have been breached in connectio...

The US Department of Veteran Affairs (VA) recently completed a two-year Cooperative Research and Development Agreement (CRADA) for medical device cybersecurity with UL, a science safety organization that has cybersecurity standards and conformity assessment programs.   Between 2016 and 2018, the VA used the UL 2900 Series of Standards as a benchmark to identify critical cybersecurity vulnerabilities in connected medical device deployment and lifecycle management, as we...

FDA’s Center for Devices and Radiological Health (CDRH) on Friday released its FY 2020 draft and final guidance list, which features a few repeats from last year and new drafts coming on device servicing and remanufacturing, unique device identification and patient-reported outcome measures used in device submissions, among others. As in years past, CDRH divides the list between “A-list” draft and final guidances, which are a priority, and a smaller “B-list” of draft an...

In its first guidance document to deal exclusively with the cybersecurity of medical devices, the International Medical Device Regulators Forum (IMDRF) this week released new general principles and best practices to facilitate better international regulatory convergence on the topic. The 45-page guidance document, developed by a working group led by officials from the US Food and Drug Administration (FDA) and Health Canada, includes both pre-market and post-market cyber...

The US Food and Drug and Administration’s (FDA) Center for Devices and Radiological Health (CDRH) on Tuesday convened its Patient Engagement Advisory Committee (PEAC) to discuss the difficulties and challenges in communicating cybersecurity safety risks and threats. Since 2013, CDRH has released safety communication related to eight device cybersecurity concerns, although the center notes that issues are customarily disclosed when there is a software update to fix an is...

EU’s medical technology trade association on Wednesday issued new recommendations to ensure a harmonized approach on medical devices and digital health technology cybersecurity. The European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) developed a set of seven recommendations to EU authorities to help guide a harmonization strategy for cybersecurity in line with security requirements set via new or forthcoming legislative...

Responding to a letter from Sen. Mark Warner (D-VA) that called for a collaborative effort to advance cybersecurity in health care, medical device industry group AdvaMed sought to ease concerns about the impact of cyber attacks with updates on industry and regulators’ moves in line with its five principles. The industry trade association’s board of directors adopted the set of five medical device cybersecurity principles in 2017 to drive best practices across its member...

Hundreds of thousands of units of Medtronic implantable cardiac devices, programmers and home monitors are vulnerable to cybersecurity incidents, according to two US federal government notices. On Thursday, the US Food and Drug Administration (FDA) issued an FDA safety communication, while the US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory to flag cybersecurity vulnerabilities detected in...

The industry group that set forth the new work item for a globally harmonized approach to medical device cybersecurity, which is currently under development, released a new white paper that provides an overview of best cybersecurity practices in medical technology manufacturing. The new white paper is intended to increase a manufacturer’s level of cybersecurity sophistication in manufacturing and engineering processes by following seven principles. These include segment...

Under a US Food and Drug Administration (FDA) contract, a new rubric developed by the Mitre Corporation is the first-of-its-kind to be specifically tailored to medical devices, and is set to take the form of a medical device development tool (MDDT) to ensure consistency in scoring cybersecurity risks. The common vulnerability scoring system (CVSS) open standard for assessing software vulnerability severity has seen widespread use on an international scale since its 2005...