The FDA has struggled to revise a guidance related to cybersecurity in medical devices, but developers now have more than just lagging FDA guidances to worry about where cybersecurity is concerned. The U.S. Department of Justice (DoJ) has unveiled a program designed to leverage the False Claims Act to pursue entities that come up short of regulatory expectations for cybersecurity, constituting a new vector for liability for makers of devices and medical software.
As cyberattacks on U.S. hospitals continue to increase with health care’s growing reliance on technology, a new report from the U.S. Office of Inspector General (OIG) has flagged Medicare’s requirements for being silent on the cybersecurity of networked medical devices. The OIG’s study found hospitals are not required to identify networked device cybersecurity in their emergency preparedness risk assessments, and as a result, they don’t include this information “very often.”
A new FDA discussion paper addresses cybersecurity issues specific to the servicing of medical devices, with the goal of guiding the conversation about potential challenges and opportunities. It coincides with a larger agency initiative to provide more clarity on servicing.