- The FDA plans to update its premarket guidance for medical device security this fall, said FDA Commissioner Scott Gottlieb during a Sept. 5 speech to the Medical Device Innovation Consortium 2018 Annual Public Forum.
The guidance will include recommendations for how manufacturers can protect against moderate and major risks, such as ransomware campaigns that disrupt clinical operations, as well as exploits involving a remote, multi-patient attack.
“In recent years, the FDA, manufacturers, and healthcare organizations have made significant progress to address and improve the cybersecurity of medical devices. But this is a rapidly evolving space. We know we all must keep pace,” said Gottlieb.
“In the coming months, the FDA will share our progress on a number of actions to help strengthen device cybersecurity. Our new efforts are aimed at both protecting against attacks and enhancing response to cyber vulnerabilities or actual incidents,” he added.
In April, the FDA released its medical device safety action plan that included plans to update its premarket guidance on medical device security to protect against moderate risks, such as ransomware, and major risks, such as remote exploitation of devices that results in a catastrophic attack on many patients.
In 2016, FDA also finalized its postmarket guidance, which established a risk-based framework for assessing changes in medical device cybersecurity. That guidance also reviews how changes should be reported or handled so devices do not keep cybersecurity vulnerabilities in place once they’re identified.The agency is also considering new postmarket authority to require firms to adopt policies and procedures to coordinate disclosure of vulnerabilities as they are identified.
The FDA said the Center for Devices and Radiological Health is integrating its premarket and postmarket offices to optimize decision making about medical devices. Risks inherent in medical devices are better understood once the devices have been widely distributed to patients and clinicians, the agency explained.
As part of its fiscal year 2019 budget, the FDA is seeking additional funding to turn NEST into a more active surveillance tool.
In his Wednesday speech, Gottlieb said that his agency has awarded a contract to Medical Device Innovation Consortium (MDIC) to manage NEST. MDIC is a public-private partnership set up to improve the medical technology environment.
NEST has so far established relationships with 11 data partners, 150 hospitals, and thousands of outpatient clinics. Taken together, they represent nearly 470 million patient records.
NEST’s data partners will conduct testing to assess their system’s capabilities for addressing real-world evidence questions across the total product life cycle.
“We believe manufacturers will be able to recoup their investments through a competitive marketplace that values safety and quality. And so, toward achieving this end, MDIC and CDRH are working together to create a ‘case for quality’ as part of FDA’s medical device safety action plan,” he said.
Gottlieb said that clear performance metrics for safety outcomes and organizational quality maturity can help manufacturers gain market share, while prompting the rest of the industry to catch up.
“This is how our focus on safety and quality can be a win-win, advancing the health and safety of patients and helping to promote a more inclusive business model for innovators,” he said.
The project will be supported by the FDA’s Voluntary Manufacturing and Product Quality pilot that was launched earlier this year. This product pilot uses a maturity model approach to advance device quality that complements the agency’s current quality systems and inspection framework.
Through the pilot, the FDA has seen a return on investment for participants ranging from $65,000 to $1.2 million. Gottlieb cited the case of a small manufacturer improving clinical trial intake times from six months to 28 days.
“We’ve advanced new policies to help efficiently promote innovation in medical product development and also secure device safety. Innovation and safety can and must go hand-in-hand. That’s why we’re focusing equal attention on advancing new frameworks for identifying risks and protecting patients,” Gottlieb said.