Makers of medical devices already have a substantial series of requirements related to cybersecurity, but those requirements may increase per a draft rule released by the U.S. Cybersecurity and Infrastructure Security Agency.
Henry Schein Inc., long known primarily as a dental equipment distributor, added two deals to its 2023 roster that will expand its presence in the orthopedics market. The company agreed to acquire a majority interest in Trimed Inc., which focuses on solutions for treatment of the upper and lower extremities and entered into a strategic relationship with Extremity Medical LLC.
The U.S. Federal Trade Commission announced Nov. 21 that it has obtained a civil monetary penalty in the amount of $700,000 from CRI Genetics LLC, an enforcement action taken under the agency’s policy for biometrics information.
The medical device industry might at times believe that it is the sole focus of the U.S. federal government thinking about cybersecurity, but the FDA is hardly alone in leaning hard on industry to stand up a solid cybersecurity regime. The Securities and Exchange Commission (SEC) is also turning the screws on corporate America regarding cybersecurity as seen in enforcement against Solarwinds Corp., an enforcement action that Seth Carmody of Medcrypt Inc., said highlights the breadth of regulatory hazards for the med-tech industry.
As reported ipreviously in coverage by BioWorld, the U.S. FDA’s latest guidance on cybersecurity elevates the agency’s demands for medical device cybersecurity, but the agency advised industry in a recent webinar that hospital IT systems are fraught with cybersecurity hazards of their own, and thus device makers should view these IT systems as potentially hostile environments where cybersecurity is concerned.
The Consolidated Appropriations Act of 2023 covered a lot of budget terrain for the U.S. federal government, but Section 3305 was unusual for this type of bill in that it called on the FDA to require cybersecurity features as a part of the Quality System Regulation (QSR).
The U.S. Security and Exchange Commission’s final rule for disclosure of cybersecurity incidents would seem to weigh more heavily on device makers and their client hospitals than on other industries, particularly given that the draft rule required a four-day notification of any such events. The final rule retains that requirement to notify investors of any such breach within four days, although the SEC relented on the content of such disclosures to ease concerns about the potential for disclosures to amplify the cybersecurity threat.
Public companies registered with the U.S. SEC will soon have to disclose material cybersecurity incidents and annually report material information regarding their cybersecurity risk management, strategy and governance.
Public companies registered with the U.S. SEC will soon have to disclose material cybersecurity incidents and annually report material information regarding their cybersecurity risk management, strategy and governance.
The U.S. FDA has released a final guidance for the agency’s refuse-to-accept (RTA) policy for cybersecurity measures in medical devices, a policy document that was required by Congress via the Consolidated Appropriations Act for the 2023 federal fiscal budget.
RSS
