DOCSLIB.ORG

A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff Abstract and users cannot assume that medical Steven Harp, is a distinguished We propose a reference architecture aimed at devices will operate in a benign security engineer at Adventium Labs in supporting the safety and security of medical environment. Any device that is capable of Minneapolis, MN. Email: steven. devices. The ISOSCELES (Intrinsically connecting to a network or physically [email protected] Secure, Open, and Safe Cyber-Physically exposes any sort of data port is potentially at Enabled, Life-Critical Essential Services) risk. How should we think about and Todd Carpenter, is chief engineer architecture is justified by a collection of design manage risk in this context? at Adventium Labs in Minneapolis, principles that leverage recent advances in This question has been explored exten- MN. Email: todd.carpenter@ software component isolation based on sively.3,4 Special publications from the adventiumlabs.com hypervisor and other separation technologies. National Institute of Standards and Technol- The instantiation of the architecture for ogy (e.g., 800-39) provide a conceptual risk John Hatcliff, PhD, is a particular medical devices is supported by a management framework.5,6 AAMI TIR577 distinguished professor at Kansas development process based on Architecture describes how security risk management State University in Manhattan, KS. Analysis and Design Language. The architec- can be integrated with safety risk manage- Email: [email protected] ture models support safety and security ment (e.g., as addressed in ISO 14971 and analysis as part of a broader risk management specifically for medical devices in IEC framework. The models also can be used to 80001). The UL 2900 series of standards derive skeletons of the device software and to provides cybersecurity requirements for configure the platform’s separation policies and medical devices.8 an extensive set of services. We are developing In brief, a threat source initiates a threat prototypes of the architecture and example event, which may exploit a device vulnera- medical device instantiations on low-cost bility, causing an adverse impact. The boards that can be used in product solutions. impact might affect the mission of the The prototype and supporting development device, the end user, or the organization and assurance artifacts are being released that created or operated the device. In this under an open-source license. framework, risk is based on the likelihood of a threat event occurring and amplified by A reference architecture is a domain-spe- the potential loss (adverse impact) should cific design template for the structure of a the event occur. class of systems as a set of constituent parts Threat sources have capabilities, intents, with special roles and communications and often preferences for particular targets. patterns. The reference architecture Automated threats, such as malware, can be discussed in this article addresses the class indiscriminate in their target selection and of small bedside medical devices (e.g., do not care whether they are exploiting a infusion pumps, electrocardiographs, personal system or a hospital. Threats ventilators). The architecture also aims to targeting particular organizations also are support interoperability interfaces through well documented.9–11 The intent of the threat compatibility with the ASTM F2761 Inte- source is frequently financial, as exemplified grated Clinical Environment (ICE)1 or the by the recent spate of ransomware (e.g., IEEE 11073 service-oriented device connec- WannaCry).12 In addition to direct extortion, tivity standards.2 Any such architecture the medical information that is present in must address a wide range of requirements, some devices can have indirect value, such including safety, cost, maintainability, and as protected health information or personally performance. It also must address an identifiable information being leveraged to unpleasant modern reality: Manufacturers steal funds or illegally acquire drugs. www.aami.org/bit 357 FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. A special type of impact needs to be instantiate it can reduce the attack surface. considered for medical devices: The lives Security controls in the device can further and health of patients may depend on them. reduce an attacker’s ability to exploit certain Security and safety are intertwined in such outstanding vulnerabilities and minimize systems, and failure to manage security the impact of successful exploitation of risks may pose safety risks.7 Beyond being others. an end target of an attack, a medical device The remainder of this article presents may represent a stepping stone for a larger principles driving the design and instantia- campaign. Exploitation of a vulnerable tion of Intrinsically Secure, Open, and Safe device may permit access to other clinical or Cyber-Physically Enabled, Life-Critical financial systems by allowing the attacker to Essential Services (ISOSCELES)—a safe and leverage trust information or to extract secure architecture for medical devices. credentials that allow the device to connect to these other systems. An example of a Architecture successful attack of this sort is documented The ISOSCELES reference architecture is in the MEDJACK report on blood-gas-ana- specified with tiered requirements: lyzers attacked in 2015–16.9 1. Platform core requirements for hard- A noteworthy long-term risk is when ware, system software, and services malware authors or researchers automate supporting the medical application. the attacks. This could result in multiple, 2. Platform design requirements derived nearly simultaneous malfunctions, similar from the platform core requirements Security controls in to what occurred with the WannaCry attack and refined to a specific design. the device can further in May 2017. With automation, botnet 3. Device design requirements specific to a reduce an attacker’s controllers could use the devices to attack particular medical device being devel- ability to exploit other devices on healthcare facility net- oped (e.g., an infusion pump). certain outstanding works. Decades ago, the attackers were The first two platform tiers drive the vulnerabilities and people who actively attacked your computer. reference architecture. These 134 require- minimize the impact of Unfortunately, automated botnets—mil- ments are intended to be suitable for a successful exploitation of lions of already-compromised machines broad family of potential medical devices. others. trying to grow their reach—are now the Figure 1 illustrates various components of prevalent attackers. a hypothetical medical device design based Recent Department of Homeland Security on this reference architecture. The exact advisories documented hard-coded pass- medical applications and services needed words and credentials in medical devices.13,14 may vary according to the device. A hard- Vulnerabilities such as these make it easier ware layer (bottom of figure) contains for malware (e.g., botnets, ransomware) to processors and peripheral devices that gain a foothold on the device. support security mechanisms. A low-level By itself, a medical device architecture separation layer of software uses these cannot address all aspects of risk. Security mechanisms to isolate all other software analyst Sergey Lozhkin noted that although components from each other, except for vulnerable devices were revealed in penetra- specifically allowed interactions. The tion testing, “the problem is not only one of ISOSCELES platform services satisfy typical weak protection of medical equipment, it needs of the top-layer medical applications has a much wider scope. The whole IT that provide medical diagnostics and infrastructure of modern hospitals is not therapies. The design of a specific device properly organized and protected, and the might incorporate only the required ele- problem persists worldwide."10 ments needed for that class of device. Until the day when software can be automatically and completely validated, we Architectural Principles must assume that some vulnerabilities The ISOSCELES reference architecture remain even after formal design and attempts to promote basic principles that extensive testing. However, a suitable provide security and safety. These principles reference architecture and tools to help and their motivations are described below. 358 Biomedical Instrumentation & Technology September/October 2018 FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. Use Strong Time and Space Separation Many modern systems provide a basic security perimeter but lack internal security barriers, making it easy for attackers to access arbitrary information within the device, and even to control the device, after they have breached the perimeter. Strong barriers between software components help contain faults and attacks from propagating to safety-critical components. For example, if an infusion pump requires a network connection (e.g., to maintain current drug libraries), the network stack and code associated with retrieving the drug library should be wholly separate from the software that interprets the contents of the Figure 1. The layered ISOSCELES (Intrinsically Secure, Open, and Safe Cyber-Physically
Load more

Recommended publications
  • Senior Data Engineer Cala Health, Inc
    875 Mahler Road, Ste. 168 Burlingame, CA, 94010 +1 415-890-3961 www.calahealth.com Job Description: Senior Data Engineer Cala Health, Inc. About Cala Health Cala Health is a bioelectronic medicine company transforming the standard of care for chronic disease. The company's wearable neuromodulation therapies merge innovations in neuroscience and technology to deliver individualized peripheral nerve stimulation. Cala Health’s lead product, Cala Trio™, is the only non-invasive prescription therapy for essential tremor and is now available through a unique digital business model of direct- to-patient solutions. New therapies are under development in neurology, cardiology, and psychiatry. The company is headquartered in the San Francisco Bay Area and backed by leading investors in both healthcare and technology. For more information, visit CalaHealth.com. The Opportunity We are looking for a Senior Data Engineer to expedite our Data Platform Stack to support our growth and also enable new product development in a dynamic, fast-paced startup environment. Specific Responsibilities also include ● Key stakeholder in influencing the roadmap of Cala’s Digital Therapeutics Data Platform. ● Build, operate and maintain highly scalable and reliable data pipelines to enable data collection from Cala wearables, partner systems, EMR systems and 3rd party clinical sources. ● Enable analysis and generation of insights from structured and unstructured data. ● Build Datawarehouse solutions that provide end-to-end management and traceability of patient longitudinal data, enable and optimize internal processes and product features. ● Implement processes and systems to monitor data quality, ensuring production data is always accurate and available for key stakeholders and business processes that depend on it.
    [Show full text]
  • Software Assurance
    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
    [Show full text]
  • Mdcg 2019-16
    Medical Device Medical Device Coordination Group Document MDCG 2019-16 MDCG 2019-16 Guidance on Cybersecurity for medical devices December 2019 This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.The document is not a European Commission document and it cannot be regarded as reflecting the official position of the European Commission. Any views expressed in this document are not legally binding and only the Court of Justice of the European Union can give binding interpretations of Union law. Page 1 of 46 Medical Device Medical Device Coordination Group Document MDCG 2019-16 Table of Contents 1. Introduction ........................................................................................................................................ 4 1.1. Background ............................................................................................................................. 4 1.2. Objectives ............................................................................................................................... 4 1.3. Cybersecurity Requirements included in Annex I of the Medical Devices Regulations ........ 4 1.4. Other Cybersecurity Requirements ......................................................................................... 6 1.5. Abbreviations .........................................................................................................................
    [Show full text]
  • BSI Medical Devices: Webinar Q&A
    ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 BSI Medical Devices: Webinar Q&A ISO 14971:2019 Risk Management for Medical Devices 13 November 2019 Page 1 of 10 ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 Q&A Q. Should EN ISO 14971:2012 be used to demonstrate continued compliance to the ERs or GSPRs or use the 2019 revision of the standard? A. A manufacturer must demonstrate compliance to the applicable legislation. Harmonization of a standard allows for a presumption of conformity to the applicable legislation where the standard is applied and the manufacturer considers the Qualifying remarks/Notes in Annex Z. Additional clarification has been made available from the European Commission, whereby it is now considered that the recent editions of standards published by standardizers reflect the state of the art, regardless of its referencing in the OJEU and therefore the ISO 14971:2019 version represents the state of the art for the Medical Device Directives and Regulation. This update is welcomed as it provides clarity for industry and ensures manufacturers need only to comply with a single version of a standard. It is anticipated the 2019 revision will be harmonized to the Regulations. Q. From the Date of Application of the MDR and IVDR will the technical documentation for existing Directive certificates be required to be updated to the 2019 revision of the standard, considering the transitional provisions of MDR Article 120 and IVDR Article 110? A. A manufacturer must demonstrate compliance to the applicable legislation.
    [Show full text]
  • FI-STAR Deliverable D1.1 Has Already Discussed Legal Requirements Related to Data Security Breach Notifications
    Ref. Ares(2014)706091 - 13/03/2014 Deliverable D2.1 Standardisation and Certification requirements Editor: Franck Le Gall, easy global markets Deliverable nature: Report (R) Dissemination level: Public (PU) (Confidentiality) Contractual delivery Dec. 2013 date: Actual delivery date: Jan. 2014 Suggested readers: Version: 1.1 Total number of 74 pages: Keywords: Standardisation, certification Abstract This document details the technical requirements resulting from existing standards and prepares future certification process. FI-STAR FP7-ICT-604691 D1.2 Standardisation and Certification requirements Disclaimer This document contains material, which is the copyright of certain FI-STAR consortium parties, and may not be reproduced or copied without permission. All FI-STAR consortium parties have agreed to full publication of this document. The commercial use of any information contained in this document may require a license from the proprietor of that information. Neither the FI-STAR consortium as a whole, nor a certain part of the FI-STAR consortium, warrant that the information contained in this document is capable of use, nor that use of the information is free from risk, accepting no liability for loss or damage suffered by any person using this information. This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 604691. Impressum [Full project title] Future Internet Social and Technological Alignment Research [Short project
    [Show full text]
  • Medical Device Cyber Security – Best Practice Guide
    Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________
    [Show full text]
  • Postmarket Management of Cybersecurity in Medical Devices
    Contains Nonbinding Recommendations Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff Document issued on December 28, 2016. The draft of this document was issued on January 22, 2016. For questions regarding this document, contact Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, rm. 5434, Silver Spring, MD 20993-0002, 301-796-6937. For questions regarding this document as applied to devices regulated by CBER, contact the Office of Communication, Outreach and Development in CBER at 1-800-835-4709 or 240-402-8010 or [email protected]. U.S. Department of Health and Human Services Food and Drug Administration Center for Devices and Radiological Health Office of the Center Director Center for Biologics Evaluation and Research Contains Nonbinding Recommendations Preface Public Comment You may submit electronic comments and suggestions at any time for Agency consideration to http://www.regulations.gov . Submit written comments to the Division of Dockets Management, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852. Identify all comments with the docket number FDA-2015-D-5105. Comments may not be acted upon by the Agency until the document is next revised or updated. Additional Copies CDRH Additional copies are available from the Internet. You may also send an e-mail request to [email protected] to receive an electronic copy of the guidance. Please use the document number 1400044 to identify the guidance you are requesting. CBER Additional copies are available from the Center for Biologics Evaluation and Research (CBER), by written request, Office of Communication, Outreach, and Development (OCOD), 10903 New Hampshire Ave., Bldg.
    [Show full text]
  • 510(K) for a Software Change to An
    Contains Nonbinding Recommendations Draft – Not for Implementation 1 Deciding When to Submit a 2 510(k) for a Software Change to an 3 Existing Device 4 ______________________________________________________________________________ 5 Draft Guidance for Industry and 6 Food and Drug Administration Staff 7 8 DRAFT GUIDANCE 9 This draft guidance document is being distributed for comment purposes only. 10 11 Document issued on August 8, 2016. 12 13 You should submit comments and suggestions regarding this draft document within 90 days of 14 publication in the Federal Register of the notice announcing the availability of the draft 15 guidance. Submit electronic comments to http://www.regulations.gov. Submit written 16 comments to the Division of Dockets Management (HFA-305), Food and Drug Administration, 17 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. Identify all comments with the docket 18 number listed in the notice of availability that publishes in the Federal Register. 19 20 For questions about this document, contact (CDRH) Linda Ricci, Office of Device Evaluation, 21 301-796-6325, [email protected]. 22 23 For questions about this document regarding CBER-regulated devices, contact the Office of 24 Communication, Outreach and Development (OCOD), by calling 1-800-835-4709 or 240-402- 25 8010. 26 27 28 29 U.S. Department of Health and Human Services 30 Food and Drug Administration 31 Center for Devices and Radiological Health 32 Center for Biologics Evaluation and Research 33 1 Contains Nonbinding Recommendations Draft – Not for Implementation 34 Preface 35 36 Additional Copies 37 38 CDRH 39 Additional copies are available from the Internet.
    [Show full text]
  • MDR Best Practices Guidelines
    MDR Documentation Submissions – Revision 2, May 2020 Page 1 of 41 ` MDR Documentation Submissions Best Practices Guidelines MDR Documentation Submissions – Revision 2, May 2020 Page 2 of 41 Contents 1 Introduction ..................................................................................................... 3 2 Submission and Technical Documentation contents ....................................... 3 2.1 Cover letter ......................................................................................................... 3 2.2 The Technical Documentation ............................................................................ 4 2.3 Authorisation for the work to be conducted ....................................................... 4 3 Submission Method .......................................................................................... 4 4 Document Format ............................................................................................. 5 4.1 Language ............................................................................................................ 5 4.2 Electronic File Format ......................................................................................... 5 4.2.1 Format and file size limits ........................................................................................ 5 4.2.2 Optical Character Recognition (searchable format) ..................................................... 6 4.2.3 Bookmarks ............................................................................................................
    [Show full text]
  • Draft International Standard Iso/Dis 14971
    DRAFT INTERNATIONAL STANDARD ISO/DIS 14971 ISO/TC 210 Secretariat: ANSI Voting begins on: Voting terminates on: 2018-07-19 2018-10-11 Medical devices — Application of risk management to medical devices Dispositifs médicaux — Application de la gestion des risques aux dispositifs médicaux ICS: 11.040.01 Member bodies are requested to consult relevant national interests in IEC/SC 62A before casting their ballot to the e-Balloting application. THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS This document is circulated as received from the committee secretariat. THEREFORE SUBJECT TO CHANGE AND MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, ISO/CEN PARALLEL PROCESSING TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE IN Reference number NATIONAL REGULATIONS. ISO/DIS 14971:2018(E) RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION. © ISO 2018 ISO/DIS 14971:2018(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2018 Allon therights internet reserved. or an Unless intranet, otherwise without specified, prior written or required permission. in the contextPermission of its can implementation, be requested nofrom part either of this ISO publication at the address may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting belowCP 401or ISO’s • Ch.
    [Show full text]
  • MEDICAL DEVICES Overview and Challenges
    MEDICAL DEVICES Overview and Challenges The medical device industry is witnessing transformational changes due to globalization, an uncertain macroeconomic climate, changing regulations and technology advancements. To succeed, we believe device manufactures need to focus on the following: Converging technologies Maintaining an Regulatory compliance Market opportunities and “consumerization” of innovative edge despite without aecting cycle with localized oerings healthcare strained R&D budgets times Manufacturers are looking to The rapid penetration of technology Increased taxation on medical Device development is being emerging markets for growth. in provisioning systems necessitates device manufacturers due to new saddled by compliance and Success will depend heavily on a seismic change in device healthcare regulations in mature regulatory initiatives impacting product oerings built for global development strategies, a sharper markets put additional pressure on development cycles, requiring new markets and localized to meet focus on consumer preferences and the bottom line and already strained investment in lifecycle processes specic regional requirements. This connected care as well as R&D budgets. Device manufacturers needs eective management of new investments in enabling need to rethink their core value and global value chains, consumer technologies such as cloud, mobility, identify opportunities to improve preferences, regulatory and healthcare analytics. R&D productivity environments and business models that are often unfamiliar
    [Show full text]
  • Deciding When to Submit a 510(K) for a Change to an Existing Device
    Contains Nonbinding Recommendations Deciding When to Submit a 510(k) for a Change to an Existing Device Guidance for Industry and Food and Drug Administration Staff Document issued on October 25, 2017. The draft of this document was issued on August 8, 2016. This document supersedes Deciding When to Submit a 510(k) for a Change to an Existing Device, dated January 10, 1997. For questions about this document regarding CDRH-regulated devices, contact the 510(k) Staff at 301-796-5640. For questions about this document regarding CBER-regulated devices, contact the Office of Communication, Outreach, and Development (OCOD) at 1-800-835-4709 or 240-402-8010. U.S. Department of Health and Human Services Food and Drug Administration Center for Devices and Radiological Health Center for Biologics Evaluation and Research 1 Contains Nonbinding Recommendations Preface Public Comment You may submit electronic comments and suggestions at any time for Agency consideration to http://www.regulations.gov . Submit written comments to the Division of Dockets Management, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852. Identify all comments with the docket number FDA-2011-D-0453. Comments may not be acted upon by the Agency until the document is next revised or updated. Additional Copies CDRH Additional copies are available from the Internet. You may also send an e-mail request to [email protected] to receive a copy of the guidance. Please use the document number 1500054 to identify the guidance you are requesting. CBER Additional copies are available from the Center for Biologics Evaluation and Research (CBER) by written request, Office of Communication, Outreach, and Development (OCOD), 10903 New Hampshire Ave., WO71, Room 3128, Silver Spring, MD 20903, or by calling 1-800-835-4709 or 240-402-8010, by email, [email protected], or from the Internet at http://www.fda.gov/BiologicsBloodVaccines/GuidanceComplianceRegulatoryInformatio n/Guidances/default.htm.
    [Show full text]