Sign up for the QMED & MD+DI Daily newsletter.
FDA released its guidance for protecting medical devices from cyber attack, but one cyber security expert says the real test will be how the agency reacts when manufacturers don't follow its recommendations.
October 1, 2014
2 Min Read
With today’s release of the much-anticipated guidance document on cyber security of medical devices, FDA is talking the talk necessary to get the medtech industry to take the issue of cyber security seriously. But one cyber security expert says it remains to be seen if the agency will walk the walk to back it up.
For more on medical device cyber security, attend the keynote presentation by Zimmer's chief information security officer Olayinka James at MD&M Minneapolis on October 29, 2014. |
“It’s a very, very good first step,” Mike Ahmadi, global director of medical security at software firm Codenomicon, says of FDA’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance for industry and agency staff. “More important is going to be what their follow-up is.”
The guidance encourages medical device manufacturers to develop design inputs related to cyber security and establish a cyber security vulnerability and management approach as part of required software validation and risk analysis. It also provides a recommended cyber security framework for manufacturers to follow and lays out recommendations for how companies should document the steps they’ve taken to ensure the cyber security of their devices in premarket submissions.
Ahmadi, who says he advised the agency on the guidance, predicts it will encourage medical device companies—especially small ones—to take the issue of cyber security more seriously.
“In our experience, smaller medical device companies seem to prioritize things a bit differently, with security being a lower priority issue than it is for larger companies,” he says. “I think this is going to encourage them to put it higher on their priority list.”
But Ahmadi adds that the real test will be what the agency does if manufacturers don’t follow the guidance.
“When the submission is coming to FDA and if the information they’re asking for in the guidance is absent, what is FDA going to do about that? “Are they going to reject the application or come back and say it’s insufficient?” Ahmadi asks. “What remains to be seen is how serious FDA is about this.”
The agency will hold a public workshop titled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity," at which Ahmadi will speak, on October 21–22, 2014, in Arlington, VA. A webinar to explain the cyber security guidance and provide a forum for questions will follow on October 29, 2014, from 2 to 3 p.m. ET.
For more on medical device cyber security, attend the keynote presentation by Zimmer's chief information security officer Olayinka James at MD&M Minneapolis on October 29, 2014. |
—Jamie Hartford, managing editor, MD+DI
[email protected]
[image courtesy of CHANPIPAT/FREEDIGITALPHOTOS.NET]
You May Also Like
