CHIME, AEHIS weigh in on FDA's medical device cybersecurity guidance
Near the end of the FDA’s public comment period in response to its recommendations related to medical device cybersecurity standards, the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) offered 12 suggestions of their own in a letter to the agency.
The draft guidance was released by the FDA in January, with the agency saying “exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices.”
CHIME and AEHIS believe the solution begins with more cooperation between healthcare organizations and device manufacturers, along with industry-wide safety regulations.
“Manufacturers should be required to configure their devices according to an industry accepted security standard that accounts for the basic principles of cybersecurity controls and alleviates risks,” the letter said.
Among its other recommendations: adopting a single risk framework for all manufacturers, requiring device to pass a security validation approval process before going to market, and allowing manufacturers some sort of “safe harbor from regulatory enforcement” if companies respond quickly to security problems.
The FDA’s draft guidance seemed to support this idea, saying “in cases where the vulnerability is quickly addressed in a way that sufficiently reduces the risk of harm to patients, the FDA does not intend to enforce urgent reporting of the vulnerability to the agency if certain conditions are met.”
The comment period on the FDA’s draft guidance ended April 21.
John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.