FDA looks to private sector for new medical device cybersecurity plan
Citing the increasing importance of public-private partnerships, officials at the Food and Drug Administration recently introduced a new plan with industry stakeholders to promote the cybersecurity of medical devices.
The FDA’s new Medical Device Safety Action Plan builds on previous agency guidance around the digital devices, but it also seeks to leverage private-sector insight by including industry experts in a CyberMed Safety Analysis Board.
The board would oversee various aspects of medical device safety, including “assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations,” and investigating possible compromised devices upon request by the FDA or manufacturers.
“That is something that we are really excited about,” Aftin Ross, senior project manager at the FDA’s Center for Devices and Radiological Health, said at ACT-IAC’s Health Innovation Day on Thursday. “Because what we sometimes find is that there can be complex issues that can come up and it can take us too long to get to the ground truth in order to be able to help entities come up with IT-appropriate mitigations. Bringing together expertise from outside government to help to inform what some of those things might look like would be very important.”
Funding for the new board is included in the president’s proposed fiscal 2019 budget under a request to bolster the FDA’s Expand the Digital Technology Industry program.
The action plan also calls for updates to the FDA’s premarket guidance by requiring device makers to include software patch and update capabilities, and provide a “software bill of materials” to provide better insight into the devices on a network.
In addition to delivering new premarket guidance defining moderate cybersecurity risks to devices, like ransomware, and major risks, such as device vulnerabilities that could result in serious cyberattacks, Ross said the FDA has made previous in-roads to help device makers better address product issues more nimbly with its 2016 Postmarket Management of Cybersecurity in Medical Devices, which debuted its final version in December 2016.
“One of the things that we did is we came up with criteria for trying to relieve that regulatory burden if these manufacturers were to take a proactive approach,” she said. “This criteria included making sure there was no adverse event associated with the device.”
Current 806 reporting regulations require device makers to report a correction to the FDA within 10 days of its discovery, along with a collection of information about the device, including manufacturing and marketing details, plus any illnesses or injuries caused by the device.
The postmarket guidance streamlines some of that reporting process, Ross said, if manufacturers are proactive about the disclosures.
“If you also communicated early on with your customers about and any initial mitigations they could undertake to shore up the security of your device while you could work on a more permanent fix — and also worked with information-sharing and analysis organizations to more broadly distribute information on that vulnerability to the community — then you would not have to come in and do the 806 reporting,” she said.
The draft of the action plan was issued on Tuesday and FDA officials are soliciting comment from industry and public stakeholders.
Editor’s Note April 24, 2018: This story has been updated to clarify Dr. Ross’ comments on relieving regulatory burden for medical device reporting to refer to the 2016 Postmarket Management of Cybersecurity in Medical Devices guidance.