Is a cybersecurity patch or update a reportable event under the Reports of Corrections and Removals regulation? (21 CFR Part 806) The FDA issued a guidance document recently entitled, “Postmarket Management of Cybersecurity in Medical Devices.” It explains that a patch or update to correct and/or prevent a cybersecurity breach or weakness does not necessarily require a report under Part 806. Whether the District Office recall coordinators still expect a report is not addressed.
The ONC established the Information Sharing Analysis Organization (ISAO) that provides a forum for manufacturers to voluntarily participate in what could be seen as a self-help group. Participation in the ISAO gives you a pass on reporting under Part 806. Why? The FDA cannot address the overwhelming volume and aggressive evolution of cybersecurity problems with medical devices. Sadly, the problems involve more than devices themselves, it cascades into bad publicity and patients become alarmed due to the publicity of cybersecurity attacks.
The problem is not limited to devices alone, healthcare facilities find their software systems are held ransom until they pay for a restoration, a coercive extortion. Without institutional software, current medical care procedures grind back to a manual program, much like a flashback to SOPs in the 1950s. Patients on life support and life sustaining devices are placed in immediate danger.
The National Institute of Standards and Technology (NIST) is trying to make headway in providing guidance on how to manage these kinds of issues that plague devices and health care organizations. Neither you nor the FDA can keep up with preventative measures. Hackers are ahead of the game.
The webinar will address how the federal government is creating a forum for manufacturers to share information and their experiences concerning cybersecurity. Maybe reporting a patch or update under Part 806 is an acceptable cost for not participating in the ISAO program. There are issues lurking behind the use of the ISAO forum. Make sure you consider the issues that are included in this webinar.
- FDA Guidance and Strategy
- Industry wide approach
- Regulatory relief from required reports
- Management of Health Information
- National Institute of Standards and Technology Cybersecurity guidelines
- Business risks vs. benefits for application interface programs (AIP)
- Hospital extortion
- FBI warning to the medical device industry
- Regulatory Affairs Departments
- Quality Assurance Departments
- Software Design Engineers
- Manufacturing Departments
- Compliant Departments
- Hospital Risk Departments
- Software Program Marketers
- IT Security Departments
- Marketing Departments
- Home Healthcare Services
- Healthcare Information Protection Departments
- Capital Venture Firms
- Medical Device Consultants