With the recent hack of Change Healthcare back in the news, a committee of the U.S. House of Representatives took up the subject of cybersecurity, which included only a couple of mentions of medical devices. However, witnesses at the hearing emphasized the role of the federal government in thwarting foreign cybersecurity threats against health care facilities, with John Riggi of the American Hospital Association stating, “we need the [federal] government to go after bad actors overseas.”
With the recent hack of Change Healthcare back in the news, a committee of the U.S. House of Representatives took up the subject of cybersecurity, which included only a couple of mentions of medical devices. However, witnesses at the hearing emphasized the role of the federal government in thwarting foreign cybersecurity threats against health care facilities, with John Riggi of the American Hospital Association stating, “we need the [federal] government to go after bad actors overseas.”
The U.S. Department of Health and Human Services (HHS) was quite vocal in its statement regarding a recent hospital cybersecurity breach, but HHS recently suffered an undisclosed data breach that cost $7.5 million in taxpayer monies.
There are coincidences and then there are big coincidences, the latter of which might describe a new U.S. FDA draft guidance and a major cybersecurity breach. The agency has issued a draft update to its premarket cybersecurity guidance even as the Department of Health and Human Services announced an investigation into the hack of the IT system at Change Healthcare, a pair of developments that seem likely to set the world of connected medical devices on its collective ear.
Henry Schein Inc., long known primarily as a dental equipment distributor, added two deals to its 2023 roster that will expand its presence in the orthopedics market. The company agreed to acquire a majority interest in Trimed Inc., which focuses on solutions for treatment of the upper and lower extremities and entered into a strategic relationship with Extremity Medical LLC.
The U.S. Federal Trade Commission announced Nov. 21 that it has obtained a civil monetary penalty in the amount of $700,000 from CRI Genetics LLC, an enforcement action taken under the agency’s policy for biometrics information.
The medical device industry might at times believe that it is the sole focus of the U.S. federal government thinking about cybersecurity, but the FDA is hardly alone in leaning hard on industry to stand up a solid cybersecurity regime. The Securities and Exchange Commission (SEC) is also turning the screws on corporate America regarding cybersecurity as seen in enforcement against Solarwinds Corp., an enforcement action that Seth Carmody of Medcrypt Inc., said highlights the breadth of regulatory hazards for the med-tech industry.
As reported ipreviously in coverage by BioWorld, the U.S. FDA’s latest guidance on cybersecurity elevates the agency’s demands for medical device cybersecurity, but the agency advised industry in a recent webinar that hospital IT systems are fraught with cybersecurity hazards of their own, and thus device makers should view these IT systems as potentially hostile environments where cybersecurity is concerned.
The Consolidated Appropriations Act of 2023 covered a lot of budget terrain for the U.S. federal government, but Section 3305 was unusual for this type of bill in that it called on the FDA to require cybersecurity features as a part of the Quality System Regulation (QSR).
The Biden administration recently announced an extension of the comment period for a request for information on harmonization of cybersecurity regulation, a proposal that could conflict with FDA regulation of medical device cybersecurity.