Software Integrity Blog


As FDA medical device comment period ends, 2 healthcare organizations call for more standards

Two healthcare executive organizations are calling on the Food & Drug Administration (FDA) and the Department of Health and Human Services (HHS) to produce more guidance for medical device manufacturers.

In seeking to clarify the need for greater collaboration among medical device manufacturers around cybersecurity in general, the Food & Drug Administration (FDA) last January released a new draft document “Post-market Management of Cybersecurity in Medical Devices” draft , and invited a 90-day public comment period. That period ended April 21, 2016.

Before the close of comments, the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) proposed in a letter , among other things, that the Department of Health and Human Services (HHS) start developing cybersecurity standards for the medical device industry.

“Manufacturers should be required to configure their devices according to an industry accepted security standard that accounts for the basic principles of cybersecurity controls and alleviates risks,” wrote CHIME and AEHIS representatives in their letter. “We recommend HHS introduce a certification program for the medical device industry to ensure that devices being purchased have met vigorous testing and cybersecurity quality controls,” they continue. Their commentary also discusses Definitions of “Controlled Risks” vs “Uncontrolled Risks”, and the challenges this might introduce.

The comments from these organizations along with other commentary received will be incorporated into a final draft due later this summer.

Take a holistic approach to software security.

More by this author