FDA’s Best Practices on Communicating Medical Device Vulnerabilities

October 08, 2021 - The US Food and Drug Administration’s (FDA) Center for Devices and Radiological Health recently released best practices for communicating medical device vulnerabilities to patients and caregivers in light of growing concerns about medical device security.

The document provides actionable tips for industry stakeholders to communicate connected medical device risks adequately and efficiently.

Medical device security is a growing concern in the healthcare security space. Medical devices tend to be portable and connected to a hospital’s network, making them significantly vulnerable to bad actors.

McAfee researchers recently discovered a vulnerability in two types of infusion pumps that could potentially enable hackers to remotely administer double doses of medications, causing injuries or death.

While no cases have been reported regarding the specific infusion pump, the vulnerability shed light on the fragility of medical device security and the risks the devices pose to patient safety.

Additionally, the University of Minnesota recently announced its new Center for Medical Device Cybersecurity (CMCDC), created to foster innovation and collaboration to ensure the safety of medical devices.

“The FDA acts promptly to communicate on cybersecurity vulnerabilities with the public to ensure they are aware of these issues and have the information they need to take appropriate action,” the document stated.

“Clear, actionable communication is one way to help protect and promote public health, and help ensure that patients, who depend on their medical devices, stay informed and protected.”

The FDA stated that it is crucial that organizations develop a communications strategy regarding medical device security. Organizations should ensure that the messaging is clearly interpretable, explicitly discusses risks, and acknowledges the unknown.

“Whenever feasible, communicate with patients and caregivers as early as possible, especially if the cybersecurity vulnerability may present a risk to patient safety,” the document explained.

“Early access to serious cybersecurity vulnerability information may provide assurance to patients and empower them to take early action to avoid any potentially harmful consequences to their health. Furthermore, early access to this information may also help build trust with patients and the public.”

The FDA also emphasized the importance of including a call to action in all communications to patients and caregivers. Organizations should educate patients on how they can mitigate risks themselves and provide clear and concise directions to do so.

Healthcare providers should keep the guidance as simple and straightforward as possible, the agency suggested.

“Using terminology that the target audience understands is a best practice in communications, and pilot testing the communication with the intended audience can help better assess what they do and do not understand,” the FDA continued.

The agency recommended incorporating search engine optimization (SEO) strategies into communications so that patients can easily find reputable information about their medical devices.

Organizations should consider channels such as email, patient listservs, text messages, and websites to disseminate information.

“Communicating about medical device safety is an important part of the FDA’s work to ensure patient safety and the overall safety and effectiveness of medical devices,” the document concluded.

“As the use of connected medical devices increases and cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful, it is increasingly important for the FDA, industry, and other messengers to consider ways to improve on cybersecurity safety communications.”