AAMI Submits Comments on Cybersecurity Draft Guidance

Posted September 11, 2013

Citing the need for consistent terminology, AAMI has asked the U.S. Food and Drug Administration (FDA) to ensure that terms it uses in draft guidance on cybersecurity considerations for medical device manufacturers are consistent with those used by industry and standards developers.

The FDA released the draft guidance in June to identify cybersecurity-related issues that device makers should take into account when preparing their premarket submissions. It cited cybersecurity as a growing concern, particularly with the increased use of wireless, Internet-, and network-connected devices, as well as the electronic exchange of health data. 

In comments dated Sept. 4, AAMI President Mary Logan recommended that the agency make modifications in the draft guidance when necessary “to better align” definitions, thus helping to “eliminate or reduce misunderstandings and provide more consistency.”

Logan further noted that several key terms are not defined in the draft document. To reduce the potential for confusion, Logan suggested adding a section titled “Terms and Definitions,” as AAMI does in its standards. Terms the agency should define include cybersecurity risks, cybersecurity risk analysis, and cybersecurity risk management, she said.

In addition, Logan asked the agency to clarify whether “fail-safe” is a defined regulatory term. If so, she said, the  FDA should include it with other definitions.  The draft guidance uses the term when recommending that companies implement “fail-safe” features to ensure a device’s functionality, “even when the device’s security has been compromised.”

Logan concluded the comments by asking the FDA to consider two standards—ANSI/AAMI/ISO 14971:2007, Medical devices – Application of risk management to medical devices and ANSI/AAMI/IEC 62304:2006, Medical device software – software life  cycle processes—to ensure consistency and harmonization.

To read the draft guidance, click here.