Following the most recent ransomware attack, known as NotPetya, (among other nicknames), many health care entities were victims of the ransomware, which prompted the Office of the National Coordinator (ONC) to issue guidance to assist health care entities in the aftermath.

In two separate warnings/updates, ONC provides guidance to health care entities on what to

On December 28, 2016, the Food and Drug Administration (FDA) issued guidance on Postmarket Management of Cybersecurity in Medical Devices. The guidance clarified aspects of the reporting requirements under Part 806 (21 CFR part 806), which require device manufacturers and importers to report certain device corrections and removals to the FDA. Most actions taken by manufacturers to address cybersecurity vulnerabilities and exploits are considered “routine updates and patches” that do not require advance notification or reporting. However, actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health must be reported to the Agency. The guidance:

  • Clarified the changes to devices that are considered cybersecurity routine updates and patches (e.g., certain actions to maintain a controlled risk to health); and
  • Outlined circumstances where FDA does not intend to enforce reporting requirements under Part 806 for specific vulnerabilities with uncontrolled risk.

Continue Reading FDA Guidance on Cybersecurity in Medical Devices