Center for Devices and Radiological Health

Cybersecurity: Lessons learned in a hacker’s era

Monday, October 2, 2017

Cybersecurity is back in the public eye, with multiple incidents of malware attacks across the globe. Merck recently suffered an attack that disrupted the company’s manufacturing capabilities. Citing concerns about the drug supply, the U.S. House Committee on Energy and Commerce has asked Merck for an update by this week. The potential for cybersecurity intrusions also touches the medical device industry. Most recently, the U.S. Department of Homeland Security and ICS-CERT issued an advisory identifying eight cyber security vulnerabilities in an infusion pump from Smiths Medical. Previously, the FDA issued safety communications regarding vulnerabilities found in certain St. Jude Medical/Abbott cardiac pacemakers and Hospira infusion pumps.

[Read More]

St. Jude cybersecurity vulnerabilities spark medical device hacking debate

Monday, January 16, 2017

A recent cybersecurity scandal involving St. Jude’s Merlin@home device sparked a renewed discussion within the medical device industry about the best way to address security flaws discovered by independent security experts, sometimes called “white hat” hackers. As medical devices become increasingly vulnerable to cyber attack, the industry has broadly accepted its new responsibility of continuously protecting approved devices from potential security breaches.

[Read More]

Regulatory Update, June 2016

Wednesday, June 1, 2016

FDA Proposed Rule on Administrative Actions for IRB Noncompliance

In the April 4, 2016, Federal Register, the FDA proposed amending the regulations describing lesser administrative actions that may be imposed on an Institutional Re­view Board (IRB) that has failed to comply with applicable IRB regulations. The FDA is taking this action to ensure clarity and ac­curacy of the regulations. The FDA is pro­posing to amend language in 21 CFR 56.120 (b) that describes lesser administrative ac­tions the FDA may impose on an IRB until the IRB takes appropriate action to correct noncompliance identified during an FDA inspection of the IRB. This revision would state that the FDA has authority to require the IRB withhold approval of new FDA-regulated studies conducted at the institu­tion or reviewed by the IRB, to direct the IRB that no new subjects may be enrolled in ongoing studies and to terminate ongoing studies, provided that doing so would not endanger study subjects. Disqualification of the IRB would be used only if the non­compliance adversely affects the validity of the data or the rights or safety of the human subjects and lesser actions (e.g., warnings or rejection of data from individual clinical in­vestigations) have not been or probably will not be adequate in achieving compliance.

[Read More]