On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post] the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks.

According to the FDA’s October 1st notice, the URGENT/11

The Patient Engagement Advisory Committee (Committee) to the Food and Drug Association (FDA) met recently to discuss cybersecurity in medical devices. Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features designed to improve healthcare and increase providers’ ability to treat patients. However, as medical devices become more

The Food and Drug Administration (FDA) has issued a recall of 465,000 St. Jude Medical pacemakers in order to push a mandatory firmware patch of vulnerabilities in six types of radio controlled cardiac pacemakers.

According to the FDA, it “has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s FR-enabled implantable cardiac pacemakers

The Food and Drug Administration (FDA) issued guidance yesterday (September 6, 2017) entitled “Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices,” which is intended to “assist industry and FDA staff in identifying specific considerations related to the ability of electronic medical devices to safely and effectively exchange information and use exchanged information.”

The

The Food and Drug Administration (FDA) recently issued a warning letter to St. Jude Medical, alleging that it failed to properly investigate issues with the batteries in its defibrillator implants and for failing to fix the cybersecurity of its in-home monitoring system, known as Merlin@home. The monitoring system is wireless and is connected to St.

On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates and patches” that do not require advance notification or reporting. However, actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health must be reported to the Agency. The guidance:

  • Clarified the changes to devices that are considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health); and
  • Outlined circumstances where FDA does not intend to enforce reporting requirements under Part 806 for specific vulnerabilities with uncontrolled risk.

Continue Reading FDA Guidance on Cybersecurity in Medical Devices

Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely.

But when the ONC and OCR issues joint guidance, it is hitting the jackpot.
Continue Reading ONC and OCR Issue Joint Fact Sheet on Use of PHI for Public Health Activities

The U.S. Food and Drug Administration (FDA) just issued draft guidance on the Use of Electronic Health Record Data in Clinical Investigations for comment within the next 60 days.

The guidance is intended to assist all parties associated with clinical research with the appropriate use of electronic health records in FDA-regulated clinical investigations, which in