The U.S. FDA’s latest draft guidance for premarket cybersecurity considerations expands considerably on the previous edition, and suggests that the manufacturer’s cybersecurity responsibilities include security in a health care facility’s network.

The U.S. FDA’s latest draft guidance for premarket cybersecurity considerations expands considerably on the previous edition, and suggests that the manufacturer’s cybersecurity responsibilities include security in a health care facility’s network.

The International Medical Device Regulators Forum (IMDRF) has posted a draft guidance for cybersecurity practices for legacy devices, a nod to the number of older devices that are difficult to secure. This document is a follow-up to a standing IMDRF guidance that spans the product life cycle, but which apparently left stakeholders with a few questions.

For the second time in four years, the FDA has issued a draft guidance for cybersecurity in premarket applications, just one of several actions undertaken recently by the U.S. federal government in connection with cybersecurity.

At this year’s Healthcare Information and Management Systems Society (HIMSS) 2022 conference in Orlando, Fla., digital health companies across the sector gathered to showcase new products and services. HIMSS CEO Hal Wolf urged the industry to focus on global health equity and a 2022 survey of health care leaders highlighted the elements of digital transformation that are causing the biggest buzz.

The U.S. FDA has issued an advisory regarding vulnerabilities identified in the Axeda line of remote access software published by PTC Inc., which may affect more than 100 products made by dozens of manufacturers. The vulnerability could allow a hacker to trigger changes in the operation of the affected devices, a massive risk to patients undergoing medical imaging and radiotherapy procedures. The FDA notice stated that the Axeda Agent and desktop server programs are the subject of a notice by the Cybersecurity & Infrastructure Security Agency (CISA), which characterizes the vulnerability as requiring only a low-complexity attack to exploit.

Though the Ukraine war has had an impact on the availability of medical devices and diagnostics, a number of companies based in the U.S. and Europe have announced measures to ensure their products will reach the war-torn nation. Device companies are donating millions to nongovernmental organizations for humanitarian assistance, while the Advanced Medical Technology Association (Advamed) said its member companies are tracking the situation and are eager to pitch in with desperately needed supplies and medical equipment.

Japan’s Ministry of Health, Labor and Welfare (MHLW) released a number of new guidelines and clarifications on medical device regulatory issues including cybersecurity, remanufactured single-use devices (SUDs) and the Medical Device Single Audit Program (MDSAP).

Cybersecurity challenges can represent an existential threat to patients on medical devices, and a new report by New York-based Cynerio Inc. highlights some of those challenges. One of the findings in the report is that nearly three-fourths of intravenous pumps, which make up 38% of a hospital’s internet of things (IoT) footprint, are vulnerable to an attack, a predicament that continues to put desperately ill patients in jeopardy.

The FDA has struggled to revise a guidance related to cybersecurity in medical devices, but developers now have more than just lagging FDA guidances to worry about where cybersecurity is concerned. The U.S. Department of Justice (DoJ) has unveiled a program designed to leverage the False Claims Act to pursue entities that come up short of regulatory expectations for cybersecurity, constituting a new vector for liability for makers of devices and medical software.