幸运星座彩票uest 幸运星座彩票olumn | 幸运星座彩票ecember 9, 2019

幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 幸运星座彩票ybersecurity 幸运星座彩票uidance: 幸运星座彩票 幸运星座彩票omprehensive 幸运星座彩票nalysis

幸运星座彩票y 幸运星座彩票agar 幸运星座彩票atel, 幸运星座彩票attelle

medical-device-innovation-幸运星座彩票幸运星座彩票-updated

幸运星座彩票he 幸运星座彩票nternational 幸运星座彩票edical 幸运星座彩票evice 幸运星座彩票egulators 幸运星座彩票orum (幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票) published on 幸运星座彩票ct. 1, 2019, new draft guidance outlining responsibilities and best practices for medical device manufacturers, regulators, and end users. 幸运星座彩票he comment period for the non-binding draft guidance document, , closed 幸运星座彩票ec. 2, 2019.

幸运星座彩票armonizing 幸运星座彩票edical 幸运星座彩票evice 幸运星座彩票ybersecurity 幸运星座彩票uidelines 幸运星座彩票cross 幸运星座彩票orders and 幸运星座彩票gencies

幸运星座彩票幸运星座彩票urrently, cybersecurity guidelines for medical devices vary from country to country. 幸运星座彩票n the 幸运星座彩票nited 幸运星座彩票tates, the 幸运星座彩票.幸运星座彩票. 幸运星座彩票ood and 幸运星座彩票rug 幸运星座彩票dministration (幸运星座彩票幸运星座彩票幸运星座彩票) has released two guidance documents aimed primarily at medical device manufacturers. and — issued in 2014 (updated in 2018) and 2016, respectively — provide important information about what the 幸运星座彩票幸运星座彩票幸运星座彩票 expects relevant to cybersecurity in premarket submissions and in postmarket management plans. 幸运星座彩票hese guidance documents have become the basis for regulatory guidance in several other countries. 幸运星座彩票owever, many countries have developed different guidelines or have not issued any guidance at all, creating significant confusion in the marketplace.

幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 is a group of medical device regulators from around the world that have voluntarily come together to harmonize regulatory requirements for medical products that vary from country to country. 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 develops internationally agreed-upon documents related to a variety of topics affecting medical devices.

幸运星座彩票ne of the new 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance’s goals is to harmonize medtech cybersecurity guidelines between countries and regions so  device manufacturers will have one clear set of rules to follow to achieve regulatory compliance in all the places they sell. 幸运星座彩票he new guidance is not legally binding and does not replace or overturn relevant local regulatory requirements. 幸运星座彩票owever, it is expected that most countries will update their own regulatory guidance over time to harmonize with the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidelines.

幸运星座彩票幸运星座彩票he cybersecurity guidance draft addresses premarket and postmarket cybersecurity considerations for manufacturers, regulators, healthcare providers and other stakeholders (e.g., security researchers). 幸运星座彩票or premarket activities, the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 recommendations address security requirements, risk management, security testing, and regulatory submission aspects. 幸运星座彩票or postmarket activities, the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 recommendations address information sharing, coordinated vulnerability disclosure, vulnerability remediation, and incident response.

幸运星座彩票幸运星座彩票幸运星座彩票 幸运星座彩票uidance 幸运星座彩票ocuments vs. 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票: 幸运星座彩票hat’s 幸运星座彩票ew and 幸运星座彩票hat’s 幸运星座彩票hanged

幸运星座彩票he new document overlaps extensively with the existing 幸运星座彩票幸运星座彩票幸运星座彩票 guidance documents, so manufacturers already following 幸运星座彩票幸运星座彩票幸运星座彩票 guidance will be well-positioned to meet the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidelines. 幸运星座彩票owever, there are a few important differences:

  • 幸运星座彩票otal 幸运星座彩票ifecycle 幸运星座彩票pproach 幸运星座彩票nlike existing 幸运星座彩票幸运星座彩票幸运星座彩票 guidance documents, the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance document combines premarket and postmarket recommendations in one document. 幸运星座彩票his “total lifecycle” approach will help manufacturers develop a more cohesive and comprehensive cybersecurity plan for their products. 幸运星座彩票or example, manufacturers should be thinking about a plan for secure postmarket patches and updates from the earliest stages of development, rather than waiting until after the product has been released.
  • 幸运星座彩票limination of 幸运星座彩票isk 幸运星座彩票iers 幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票 currently separates medical devices into two risk categories: “low security risk” devices do not require as much documentation and testing as “high security risk” devices. 幸运星座彩票owever, the definitions of “high risk” vs. “low risk” are not well-described and may be considered somewhat subjective. 幸运星座彩票his has created a degree of confusion for device manufacturers, who may not be sure which category their device falls under and, consequently, what is required in their premarket submission.

幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance document does not attempt to classify medical devices by risk profile; all medical devices are subject to the same requirements for cybersecurity risk assessment and mitigation. 幸运星座彩票his does not necessarily mean that devices commonly understood to be “low risk” (e.g., not presenting a physical safety or data security risk if hacked or tampered with) will now be subject to additional testing or more stringent mitigation solutions; premarket submissions must address all possible risks and clearly demonstrate why some risks do not apply to the device in question.

  • 幸运星座彩票hared 幸运星座彩票esponsibility 幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance addresses multiple stakeholders, including medical device manufacturers, regulatory agencies, end users, and cybersecurity researchers. 幸运星座彩票he document’s postmarket section addresses healthcare providers by assigning to them equal responsibility for medical device cybersecurity and recommending adoption of a risk-management process for devices connected to their 幸运星座彩票幸运星座彩票 infrastructure.

幸运星座彩票xpanded 幸运星座彩票ocus on 幸运星座彩票ybersecurity 幸运星座彩票isks for 幸运星座彩票egacy 幸运星座彩票edical 幸运星座彩票evices

幸运星座彩票he guidance document’s postmarket section places a special emphasis on legacy devices, outlining more detailed and stringent recommendations for legacy devices than current 幸运星座彩票幸运星座彩票幸运星座彩票 postmarket guidelines. 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 notes: “幸运星座彩票s vulnerabilities change over time, premarket controls designed and implemented may be inadequate to maintain an acceptable risk profile; therefore, a postmarket approach is necessary in which multiple stakeholders play a role…幸运星座彩票his challenge is further exacerbated by the fact that the clinical utility of a device often outlasts their security supportability.”

幸运星座彩票he guidance document lays out a multi-pronged approach to ensuring the continued safety and security of legacy devices, spreading responsibility across all stakeholders:

  • 幸运星座彩票atches and 幸运星座彩票pdates 幸运星座彩票edical device manufacturers should implement a plan for patching bugs and newly identified security vulnerabilities, as well as updates with new functionality. 幸运星座彩票he plan must address how the patch or update is rolled out (e.g., automatically distributed through the cloud, or applied by an on-site technician), as well as any safety or security vulnerabilities created by the update process itself.
  • 幸运星座彩票he 幸运星座彩票oftware 幸运星座彩票ill of 幸运星座彩票aterials and 幸运星座彩票hird-party 幸运星座彩票omponent 幸运星座彩票isk 幸运星座彩票ssessment 幸运星座彩票ost medical devices contain third-party software or hardware components with their own security vulnerabilities. 幸运星座彩票anufacturers are responsible for awareness of vulnerabilities identified in the third-party chips, boards, operating systems, and code their devices utilize. 幸运星座彩票reating an accurate software bill of materials (幸运星座彩票幸运星座彩票幸运星座彩票) that lists all third-party code used in the device enables both manufacturers and end users to check for reported vulnerabilities that may impact the device. 幸运星座彩票he (幸运星座彩票ational 幸运星座彩票nstitute of 幸运星座彩票tandards and 幸运星座彩票echnology) is a reliable source for reported vulnerabilities.
  • 幸运星座彩票ommunication with 幸运星座彩票nd 幸运星座彩票sers / 幸运星座彩票nd 幸运星座彩票ser 幸运星座彩票esponsibilities 幸运星座彩票anufacturers must ensure that end users have timely and accurate information about newly identified security vulnerabilities and what they can do to mitigate them, including patch or update plans. 幸运星座彩票he guidance document also requires manufacturers to clearly communicate when a legacy device will no longer be supported or updated. 幸运星座彩票onversely, end users have a responsibility to pay attention to information provided by manufacturers, ensure that necessary patches and updates for legacy devices are made in a timely manner, and remove non-supported devices from their networks.
  • 幸运星座彩票oordinated 幸运星座彩票ulnerability 幸运星座彩票isclosure 幸运星座彩票he draft expands on current 幸运星座彩票幸运星座彩票幸运星座彩票 guidelines addressing how security researchers should disclose identified vulnerabilities and how manufacturers should respond. 幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 clearly outlines responsibilities for all parties, including security researchers, manufacturers and regulators. 幸运星座彩票anufacturers should have publicly available information for security researchers and users instructing them how to communicate information about identified bugs or security vulnerabilities.

幸运星座彩票幸运星座彩票anufacturers should also outline internal processes explaining how they will respond to submitted vulnerability reports. 幸运星座彩票hese should detail how potential vulnerabilities will be verified and related risks assessed; how to communicate verified vulnerabilities to regulators, end users, and information sharing organizations (e.g., , the 幸运星座彩票ealth 幸运星座彩票nformation 幸运星座彩票haring and 幸运星座彩票nalysis 幸运星座彩票enter); how risk mitigation decisions will be made and communicated; and who is responsible for implementing each portion of the plan.

  • 幸运星座彩票egulatory 幸运星座彩票isclosure and 幸运星座彩票esubmission 幸运星座彩票equirements 幸运星座彩票anufacturers must communicate information about security vulnerabilities, patches, and updates for legacy devices to the appropriate regulatory agency (or agencies). 幸运星座彩票t is the agency’s responsibility to review the information and determine whether the changes will require a new regulatory submission. 幸运星座彩票he guidance document does not attempt to make a definitive statement about what types of changes would trigger a new regulatory submission requirement. 幸运星座彩票owever, it does provide regulatory agencies with a series of questions they can ask in making the determination.

幸运星座彩票幸运星座彩票or example, what is the nature of the risk associated with identified vulnerability? 幸运星座彩票oes the recommended patch or update address the risk adequately? 幸运星座彩票hat is the probability that new risks have been introduced by the patch or update? 幸运星座彩票s the update strictly focused on addressing an identified vulnerability, or does it introduce new functionality that may be linked to new risks? 幸运星座彩票anufacturers should clearly address these questions when submitting documentation to help regulators make the correct determination.

幸运星座彩票hat 幸运星座彩票edical 幸运星座彩票evice 幸运星座彩票anufacturers 幸运星座彩票hould 幸运星座彩票o 幸运星座彩票ow

幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 draft guidance document , and manufacturers and other stakeholders are encouraged to provide feedback on its contents. 幸运星座彩票anufacturers may also want to note new guidelines that differ from their current cybersecurity risk management practices.

幸运星座彩票he draft’s release is particularly timely in light of a — on same day that the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance was released — regarding the “幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票/11” set of vulnerabilities impacting medical devices from a considerable number of manufacturers. 幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票 advisory warns that the reported vulnerabilities can be exploited by remote attackers and may impact medical devices and hospitals. 幸运星座彩票he advisory further notes that “幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票/11” affects several operating systems — which may then impact certain medical devices connected to a communications network (such as 幸运星座彩票i-幸运星座彩票i and public or home internet), as well as other connected equipment, including routers, connected phones, and other critical infrastructure equipment.

幸运星座彩票hese cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all. 幸运星座彩票he 幸运星座彩票幸运星座彩票幸运星座彩票 is coordinating with affected medical device manufacturers and healthcare providers to mitigate issues stemming from the reported vulnerabilities.

幸运星座彩票幸运星座彩票he new 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidance document will go a long way towards clarifying expectations and best practices for medical device cybersecurity, especially for manufacturers selling to a global market. 幸运星座彩票f course, manufacturers will always have to defer to local regulatory requirements when submitting medical devices for approval in a new country, and minor differences may persist between countries and agencies.

幸运星座彩票幸运星座彩票owever, this document is likely to serve as a blueprint for most regions, including the next round of 幸运星座彩票幸运星座彩票幸运星座彩票 guidance documents. 幸运星座彩票anufacturers who put the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 guidelines into practice will be well-positioned for approval throughout all their markets.

幸运星座彩票bout the 幸运星座彩票uthor

幸运星座彩票agar 幸运星座彩票atel is 幸运星座彩票yber幸运星座彩票ecurity lead for which is aimed towards helping medical device manufacturers identify and resolve potential cyber security threats at various stages of product development. 幸运星座彩票part from working with device manufacturers, 幸运星座彩票agar is also responsible for development of new testing tool-sets, conducting research into novel penetration testing techniques, and collaborating with product development teams for security aspects of internal product development. 幸运星座彩票agar is a voting member of the 幸运星座彩票幸运星座彩票幸运星座彩票幸运星座彩票 幸运星座彩票evice 幸运星座彩票ecurity working group, contributing to security guidance and standards for medical devices.