Comment on FR Doc # N/A

In response to "What types of health IT should be addressed by the report developed by FDA, ONC, and FCC?": 1. All healthcare systems and devices which communicate over any communication channel (wired or wireless). 2. The methodologies used to evaluate vulnerabilities in the systems and devices from a functional and non-functional perspective. 3. The qualifications of the personnel the manufacturers, integrators, and end users of systems and devices use to determine the vulnerabilities found in the systems and devices. 4. The qualifications of the personnel the manufacturers, integrators, and end users of systems and devices use to determine the design criteria for securing the systems and devices. In response to "What are the risks to patient safety posed by health IT and what is the likelihood of these risks?": 1. Any device which communicates over a wired or wireless channel poses a risk (equivalent to 100%) that either a malicious actor or curious explorer will access and potentially cause harm to the patient it is being used on. In response to "What factors or approaches could be included in a risk-based regulatory approach for health IT to promote innovation and protect patient safety?": 1. A thorough vulnerability assessment which includes the following: a. Fuzz testing of all communication protocols b. Hardware security analysis c. Factory Acceptance Testing d. Interoperability Testing e. Sight Acceptance Testing f. Code signing of all binaries used in medical devices g. Failure mode effects of fuzz testing and fault injections It is extremely important to note that most design processes focus on testing of functional requirements. Most vulnerabilities discovered are the result of non-functional use (or negative testing) of devices. Most medical manufacturers and end users are not equipped with tools to perform these types of tests. Other industries perform such tests as a normal part of development, using COTS tools and software.