CHIME to FDA: Collaboration on med device security between vendors, providers critical

The College of Healthcare Information Management Executives lauds the U.S. Food and Drug Administration for its work on medical device cybersecurity in a recent letter, but also says that increased collaboration between manufacturers and providers is critical.

The letter is in response to request for comment on guidance the FDA released in January focused on postmarket cybersecurity of medical devices. That guidance was a follow up to one published in October 2014 outlining how medical device makers should address cybersecurity risks in the pre-market design of their products.

CHIME's comments on the guidance cover the organization's overall reflections, commentary on the postmarket guidance and responses to specific questions from the FDA.

Its major recommendations include:

  • The Health and Human Services Department should create a certification program for the device industry to "ensure that devices being purchased have met vigorous testing and cybersecurity quality controls"
  • The FDA should work with HHS's Office for Civil Rights to make sure implementation guidance is better aligned; the Cybersecurity Act of 2015 requires HHS to create a plan showing how it will address cybersecurity issues in the industry
  • Participation in Information Sharing and Analysis Organizations (ISAOs) should be a requirement to better the relationship between providers and manufacturers
  • The FDA should set up a hotline that providers can call if they run into issues with device makers who say they can't fix a security risk without agency clearance
  • The risk framework should be standardized, "not just offered as guidance"

Rep. James Langevin (D-R.I.) also recently published comments supporting the FDA's guidance, saying it "would make substantial progress" in the medical device security arena and applauding the guidance's emphasis on risk-based cybersecurity.

He adds that the FDA, in addition to promoting the guidance, "has an important responsibility to ensure that manufacturers are properly complying with the proposed mitigation methods or are properly reporting cybersecurity risks."

The agency also should build upon industry collaborations and advance work with manufacturers, patients, IT experts, security researchers, and others, Langevin says.

To learn more:
- here's the CHIME letter (.pdf)
- check out Langevin's comments (.pdf)

Suggested Articles

Healthcare software company Phreesia closed its first day of trading as a public company Thursday about 40% above its set price.

The announcement comes on the heels of the Trump administration's effort aimed at kidney care that includes expanding access to in-home dialysis.

Technology company Philips has acquired Boston-based startup Medumo, the developer of patient navigation and engagement solutions.