Regulator Roundtable: Controls Regulators Want to See in Medical Devices

Deven McGraw
Deputy Director
Health Information Privacy at Office for Civil Rights
U.S. Department of Health & Human Services
Linda Ricci
Associate Director
Office of Device Evaluation Digital Health
FDA’s Center Director for Devices and Radiological Health (CDRH) 

Many medical device manufacturers, engineers and vendor claim that it is not their responsibility to build security and privacy controls into their devices. The most common reasons given include: 1) It is solely the responsibility of providers to build security controls around medical devices; 2) It would make medical devices prohibitively expensive to build in such controls; and 3) No physicians, regulators or patients have ever requested such controls. When challenged with how, as HIPAA business associates, they will be able demonstrate compliance with HIPAA, they claim they are not subject to HIPAA requirements. Information security officers, privacy officers, patients and privacy groups are frustrated with the risks created by the lack of controls in medical devices, to patient privacy and information security, as well as to patient safety. In this lively and thought-provoking session, Rebecca Herold will host Deven McGraw, from the HHS OCR, and Linda Ricci, from the FDA, in an enlightening discussion of these issues and more.