FDA Announces Plan to Advance Medical Device Safety and Cybersecurity

April 18, 2018
The Food and Drug Administration (FDA) has announced new proposals aimed at advancing medical device cybersecurity, including placing new responsibilities on manufacturers, both before and after their devices hit the market.

While medical devices play an increasing role in patient care and provide life-saving benefits to patients, these devices can be vulnerable to security breaches and therefore pose significant risks to healthcare cybersecurity. To address medical device safety, the Food and Drug Administration (FDA) has announced plans to advance new frameworks for identifying risks and protecting consumers, including proposals aimed at advancing medical device cybersecurity.

This week, the FDA released the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. This new Action Plan outlines the FDA’s vision for how the agency can continue to enhance programs and processes to assure the safety of medical devices. “Our aim is to make sure that the new advances in technology that are enabling better capabilities and benefits are also harnessed to bring added assurances of safety, so that more patients can benefit from new devices and address unmet needs,” FDA Commissioner Scott Gottlieb, M.D., said in a statement.

Specifically, the FDA’s medical device safety action plan focuses on five key areas:

Establish a robust medical device patient safety net in the U.S.;

Explore regulatory options to streamline and modernize timely implementation of post-market mitigations;

Spur innovation towards safer medical devices;

Advance medical device cybersecurity; and

Integrate the FDA’s Center for Devices and Radiological Health (CDRH) premarket and post-market offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety.

According to Gottlieb’s statement, the FDA already has taken several steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices. As part of this new action plan, FDA officials are seeking additional authorities and funding from Congress, which would build on the agency’s work to date and further minimize medical device cybersecurity vulnerabilities and exploits.

The agency is considering placing new responsibilities on manufacturers, both before and after their devices hit the market. Specifically, the FDA is considering potential new premarket authorities to require firms, on the front end, to build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s premarket submission. The FDA may also require firms to develop a “Software Bill of Materials” that must be provided to the FDA as part of a premarket submission and made available to medical device customers and users.

Additionally, FDA plans to update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack). The agency also is considering new post-market authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.

The FDA is also considering form a public-private partnership, a CyberMed Safety (Expert) Analysis Board, that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and the agency.

The Association of Executives in Healthcare Information Security (AEHIS) issued a statement in support of the FDA’s efforts to improve medical device cybersecurity and called the proposals “promising.”

Erik Decker, AEHIS chair and chief security and privacy officer at University of Chicago Medicine, said in the statement: “The challenges of protecting medical devices from cyberattacks is a hot topic within our association. We believe all parties understand this challenge is a shared responsibility; today’s FDA announcement is an important step toward furthering this goal.”

AEHIS has consistently advocated for policies that bring greater protections to the healthcare sector and transparency for providers who purchase these devices.