Sector News

FDA planning to require cybersecurity checks in device submissions

September 12, 2018
Life sciences

While the FDA has addressed threats to networked medical devices through its guidance and product evaluations, the agency should take more steps to fully integrate cybersecurity into its premarket reviews, according to an HHS report.

The HHS inspector general’s office recommended (PDF) the FDA and manufacturers use presubmission meetings to better address cybersecurity-related questions, and that the agency include cybersecurity as an element in its SMART template used in 510(k) submissions.

In addition, the office urged the agency to begin requiring cybersecurity documentation elements on its refuse-to-accept checklists. The FDA said it concurred with all three of HHS’ recommendations and has begun taking steps to implement them.

“Cybersecurity threats to networked medical devices are on the rise,” the inspector general’s office wrote. “Researchers and hackers have demonstrated that the lack of security controls in these devices makes them vulnerable to cybersecurity attacks, such as ransomware and unauthorized remote access. Such attacks can affect not only a single patient but can also impact a hospital system and disrupt the delivery of healthcare.”

Currently, the agency uses its 2014 guidance (PDF) to conduct its reviews of premarket applications and cybersecurity documentation submissions, including descriptions of a device’s cybersecurity risks, controls to mitigate those risks and lists of the threats considered by the manufacturer.

FDA reviewers take that information, as well as previously known cybersecurity threats, and apply them across their reviews of devices with similar profiles—such as threats that may affect a class of cardiac devices produced by different manufacturers, for example.

The agency often requests additional information and cybersecurity documentation from manufacturers with submissions, HHS said, following its review, and the FDA almost always clears or approves the cybersecurity aspect of networked medical devices following manufacturers’ responses.

However, the 510(k) review template currently does not prompt staff with specific questions, and it lacks a space dedicated for the results of a cybersecurity review, the report said, though the template has included a section on cybersecurity since September 2016.

For the agency’s refuse-to-accept checklist, the FDA plans to include cybersecurity requirements during its next update, after which manufacturer submissions may be turned away for lacking the necessary documentation.

By Conor Hale

Source: Fierce Biotech

comments closed

Related News

February 4, 2023

MedTrace receives U.S. patent for diagnosing the human heart

Life sciences

The U.S. Patent and Trademark Office issued a patent to MedTrace for their method of diagnosing the human heart via 15O-water PET. The patented method is the foundation of the company’s software aQuant, currently under development. Hendrik “Hans” Harms, PhD and Senior Scientist at MedTrace, and Jens Soerensen, Professor and Clinical Advisor to MedTrace, are the originators of the method.

February 4, 2023

Roche taps insider Teresa Graham for top pharma job as setbacks prompt M&A questions

Life sciences

Teresa Graham, currently head of global product strategy for Roche pharma, will become the division’s new CEO next month, Roche said Thursday. Simultaneously, Roche is elevating Levi Garraway, chief medical officer, to the executive committee.

February 4, 2023

J&J’s pharma group quietly works through global overhaul, with layoffs expected to reach multiple countries

Life sciences

Fierce Pharma has obtained internal documents and video of a town hall meeting conducted this week describing what J&J called a “comprehensive review” of its portfolio. Moving forward, J&J plans to operate its vaccines and infectious diseases outfits as one group, the executives explained.

How can we help you?

We're easy to reach