FDA / Regulatory News
New Cybersecurity Guidance under MDR and IVDR
New guidance published for Medical Device and IVD Cybersecurity under MDR and IVDR in Europe.
The Medical Device Coordination Group (MDCG) published new guidance on Jan 6, 2020 to help manufacturers fulfill all the relevant cybersecurity requirements in Annex I of the Medical Devices Regulation (MDR) and In-vitro Diagnostic Medical Devices Regulation (IVDR).
The new texts lay down certain new essential safety requirements (IT security, Information security, Operation security, and Medical Device Design security) for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves.
The guidance notes that the primary means of security verification and validation is testing.
Test Methods can include:
- security feature testing
- fuzz testing (technique used to discover coding errors and security loopholes in software, operating systems or networks)
- vulnerability scanning
- penetration testing
- tools for secure code analysis
- tools that scan for open source code and libraries used in the product, to identify components with known issues
FDA’s Breakthrough Devices Program matures
The voluntary program allows developers of devices or combination products that more effectively treat or diagnose “life-threatening or irreversibly debilitating diseases or conditions” to seek special status from the agency to have closer, more timely interaction with regulators throughout premarket activities.
The number of devices designated under the program in 2019 reached 136. Last year, FDA approved or cleared five breakthrough-designated devices:
- novel ear tube delivery system to treat recurrent ear infections
- implantable pulse generator and a carotid sinus stimulator (lowers blood pressure) for heart failure patients
- single-use duodenoscope meant to cut down on spread of infection
- rapid diagnostic test for Ebola virus
Product Recalls and Issues
GE cybersecurity flaw gets maximum risk score
FDA has issued a notice about cybersecurity vulnerabilities affecting GE Healthcare Clinical Information Central Stations and Telemetry Servers. The vulnerability scored 10 out of 10 on a risk scale outlined in a Department of Homeland Security notice flagging the issue
FDA’s statement outlined the potential for a hacker to remotely interfere with the function of patient monitors without being detected. Intrusion by a hacker may appear to be part of normal network communication, enabling them to take actions that threaten patients without being detected by the security team.
“An attacker could potentially silence an alarm that is intended to communicate vital information about a patient to health care staff, such as apatient’s cardiac status,” the agency wrote.
To eliminate the risk, GE is working on software updates to close off the vulnerability. GE is yet to provide a timeline for the rollout of the security update.
