The U.S. Food and Drug Administration’s (FDA’s) Center for Devices and Radiological Health (CDRH) has released a new document this month entitled, “Best Practices for Communicating Cybersecurity Vulnerabilities to Patients.”
The document states, “Although it may not be possible to communicate about every cybersecurity vulnerability, the FDA works with federal partners and industry stakeholders to assess the best approaches to communicate with patients and caregivers about specific and relevant cybersecurity events that may affect public health.”
The FDA and CDRH state in the document that both remain committed to its mission to promote and protect public health, including the effective use of medical devices that are connected to the internet, hospital networks, and other medical devices (“connected medical devices”). The document explains that the increased usage of these devices in the U.S. has led to an increase in cybersecurity vulnerabilities and the FDA is at the forefront of helping reduce cybersecurity issues related to the use of connected medical devices.
That said, “Currently, the FDA’s safety communications fall into two main categories: device-specific information, and software and hardware supply-chain issues. The FDA tailors its communications depending on the specific audiences (such as patients, healthcare providers, and industry) and the communication type (such as safety or educational communications). The FDA also tailors its communications based on the urgency of the issue and the public health impact. The FDA acts promptly to communicate on cybersecurity vulnerabilities with the public to ensure they are aware of these issues and have the information they need to take appropriate action. Clear, actionable communication is one way to help protect and promote public health, and help ensure that patients, who depend on their medical devices, stay informed and protected. We shared the challenge of communicating cybersecurity vulnerabilities with the Patient Engagement Advisory Committee (PEAC) for their recommendations for future communications.”
The paper includes best practices for communications, including:
- Making content easy for people to read and understand, including how to:
- Keep it timely
- Keep it relevant
- Keep it simple
- Keep it readable for diverse audiences
- Discussing risks and benefits
- Acknowledging and explaining the unknown
- Making it easy for patients to find and use, including:
- Making communications easy to find in online searches
- Making communications easy to view on mobile devices
As cyber threats continue to grow, 67 percent of patient care organizations have now been victims of ransomware attacks, with 33 percent having already been hit at least twice. Just last week, reports on the FIN12 ransomware gang say that the group prefers quick malware deployment against sensitive, high-value targets—making healthcare organizations prime targets. Also last week, Medtronic issued a device recall for its MiniMed remote controller due to the company believing the device could be susceptible to a cybersecurity risk.
The report notes that “This document is not guidance and does not create or convey any policies on regulatory matters or any regulatory expectations.”
