Welcome to our new website! If this is the first time you are logging in on the new site, you will need to reset your password. Please contact us at raps@raps.org if you need assistance.
The site navigation utilizes arrow, enter, escape, and space bar key commands. Left and right arrows move across top level links and expand / close menus in sub levels. Up and Down arrows will open main level menus and toggle through sub tier links. Enter and space open menus and escape closes them as well. Tab will move on to the next part of the site rather than go through menu items.
The regulatory function is vital in making safe and effective healthcare products available worldwide. Individuals who ensure regulatory compliance and prepare submissions, as well as those whose main job function is clinical affairs or quality assurance are all considered regulatory professionals.
Share your knowledge and expertise with your regulatory peers by submitting an in-depth, evidence-based article focusing on key areas and emerging issues in the global regulatory landscape.
One of our most valuable contributions to the profession is the Regulatory Code of Ethics. The Code of Ethics provides regulatory professionals with core values that hold them to the highest standards of professional conduct.
Your membership opens the door to free learning resources on demand. Check out the Member Knowledge Center for free webcasts, publications and online courses.
Like all professions, regulatory is based on a shared set of competencies. The Regulatory Competency Framework describes the essential elements of what is required of regulatory professionals at four major career and professional levels.
RAPS Euro Convergence brings regulatory peers from the EU and worldwide together in one forum to gain insights and exchange ideas on the region's most pressing issues. Register today to attend 10-12 May 2021.
Registration is now open for RAPS Convergence 2021! Gather with the regulatory community 12-15 September for four days of learning, engagement, and excitement.
With contributions from more than 30 authors from seven countries, the new edition incorporates a global overview of the field and is designed to help you get the most out of your regulatory intelligence endeavors.
Regipedia is an interactive resource created to benefit RAPS members with 24/7 access to more than 2,300 regulatory terms.
Hear from leaders around the globe as they share insights about their experiences and lessons learned throughout their certification journey.
The RAPS store will be under maintenance Saturday, 17 April between 5 AM and 12 PM EST. Store functionality may be unavailable at times during this window. We apologize for any inconvenience caused during this time.
Posted 18 May 2017 | By Michael Mezher
The US Food and Drug Administration (FDA) on Thursday kicked off a fortuitously-timed public workshop on medical device cybersecurity, the agency's third on the subject to date.
At the workshop, FDA officials, representatives from industry and researchers are trying to determine the current gaps in regulatory science as it relates to cybersecurity with the aim of coming up with fixes for those gaps down the road.
FDA's previous cybersecurity workshops in October 2014 and January 2016 focused on collaborative efforts on cybersecurity, such as information sharing and vulnerability disclosure and discussing FDA's guidance documents on pre- and postmarket cybersecurity.
"What a week to pick to have the cybersecurity workshop, certainly very topical," said Edward Margerrison, director of the Office of Science and Engineering Laboratories at the Center for Devices and Radiological Health (CDRH), referring to the "WannaCry" ransomware that struck computer systems around the world last Friday.
"This is certainly not a theoretical issue for us. This is real and it's here today," Margerrison said.
Going forward, Suzanne Schwartz, associate director for science and strategic partnerships at CDRH, said the regulatory science tools the agency develops must "be proactive and … set up in a way that enables anticipating what the regulatory and public health issues are."
"The events of the past week, the global impact of cyberattacks on critical infrastructure, the vulnerabilities of medical devices on connected systems, and the real-time difficulties that healthcare provider organizations have in guarding against these kind of attacks … bring this message home to us today," Schwartz said.
In the course of a few days, some 300,000 computers in more than 150 countries were hit by WannaCry, and while the attack did not target healthcare systems, hospitals were among the most heavily impacted by the attack.
The attack also marked a turning point for medical device cybersecurity. On Wednesday, Forbesreported that a Bayer radiology device was infected with the ransomware. Bayer confirmed to Forbes that it received two reports from customers that its devices were affected by the ransomware, but did not specify the model of the devices.
The WannaCry attack highlighted a number of critical challenges for device makers, many of which were brought up during the workshop.
One issue is that medical devices often have a lifecycle that is much longer than the support offered for software applications. For instance, the vulnerability WannaCry targeted was patched by Microsoft in March, but only for supported systems, so computers running older operating systems, such as Windows XP, were left unprotected.
"When I worked in the aviation world, if you had gone into Boeing and suggested Windows XP operating systems in display units in their cockpit they would throw you off. They understand the lifecycle of an aircraft is 25 or 30 years," said Ken Hoyme, director of product and engineering systems security at Boston Scientific.
"We need to think about operating systems that can be long-term supported, that can be much simpler than the complexity we put in. With complexity comes vulnerabilities [and] the need to patch more often," he said.
The settings medical devices are used in also play a significant role in how secure they are.
Kevin McDonald, director of clinical information security at the Mayo Clinic, said that most healthcare systems don't have the time, money or resources to address cybersecurity on their own.
According to McDonald, medical devices are the "weakest link" across Mayo Clinic's enterprise security devices, because updating, patching and replacing the thousands of devices the clinic uses presents a major undertaking. However, McDonald said he has 13 people on staff who specifically deal with medical device cybersecurity, while some small hospitals may not have anyone on staff with that level of focus or expertise.
"We still have some stuff with DOS," he said, referring to Microsoft's long defunct Disk Operating System first released in 1981 and discontinued in 2000.
However, even if a vulnerability is patched, distributing that update poses other challenges. There may be downtime associated with installing the update, and the update itself could introduce new issues.
Hoyme also questioned where to draw the line for "break glass" or fail-safe modes on devices to bypass certain security authentication. On the one hand, such systems provide a way for healthcare providers to quickly use a device in an emergency situation, while on the other it introduces a security vulnerability that could potentially be exploited.
"Does providing a break glass mechanism provide a mechanism to bypass security altogether and introduce harm?" Hoyme asked, raising the question of how such mechanisms could be put in place while still maintaining security.
Experts at the workshop will continue to discuss these issues on Friday, and FDA says it plans to publish a report on findings from the workshop sometime in late 2017.
Tags: Cybersecurity, WannaCry
Regulatory Focus newsletters
All the biggest regulatory news and happenings.