- The Food and Drug Administration (FDA) is asking Congress for additional authority and funding to expand its efforts to improve medical device safety, including reducing cybersecurity vulnerabilities in devices, said FDA Commissioner Scott Gottlieb in announcing this week a new medical device safety action plan.
As part of those efforts, the FDA wants to set up a CyberMed Safety (Expert) Analysis Board, which would be a public-private partnership between the FDA and devices makers to complement existing device vulnerability coordination and response mechanisms.
The board would include individuals with expertise in hardware, software, networking, biomedical engineering, and clinical environments. It would assess vulnerabilities, evaluate patient safety risks, adjudicate disputes, assess proposed mitigations, serve as consultants to organizations navigating the coordinated disclosure process, and function as a “go-team” that could be deployed in the field to investigate a suspected or confirmed device compromise.
“The operationalization of [the board] would be an invaluable asset to FDA, industry, and healthcare facilities in averting and responding to cybersecurity vulnerabilities and exploits,” the action plan observed.
Funding for the board would come out of the Expand the Digital Technology Industry program in the Trump administration’s fiscal year 2019 budget proposal submitted to Congress earlier this year.
In addition, the FDA is considering requiring device makers to build in a capability to update and patch device security into product design and to provide data on this capability to the agency as part of the device’s premarket submission.
Device makers would also be required to provide a “software bill of materials” to the FDA as part of premarket submission. This would enable device customers and users to better manage their network assets and be aware of which devices may have vulnerabilities as well as assist in postmarket mitigation efforts.
The FDA plans to update its premarket guidance on medical device cybersecurity to protect against moderate risks, such as ransomware, and major risks, such as remote exploitation of devices that results in a catastrophic attack on many patients.
The agency is also considering new postmarket authority to require firms to adopt policies and procedures to coordinate disclosure of vulnerabilities as they are identified.
“Like computers and the networks they operate in, medical devices can be vulnerable to security breaches. Exploitation of device vulnerabilities could threaten the health and safety of patients,” Gottlieb observed.
The FDA is considering requiring additional information on labels for physicians, as well as more training and user education, explained Gottlieb. These new rules could be issued under an existing umbrella regulation, he noted.
In the action plan, the FDA describes key steps it plans to take in the following areas:
• Establish a medical device patient safety net
• Explore regulatory options to streamline implementation of postmarket mitigations
• Spur innovation towards safer medical devices
• Improve medical device cybersecurity
• Integrate the Center for Devices and Radiological Health's premarket and postmarket offices and activities to expand the use of a total product life cycle (TPLC) approach to device safety
Gottlieb explained that the center is integrating its premarket and postmarket offices to optimize decision making about medical devices. Some of the risks inherent in medical devices are better understood once the devices have been widely distributed to patients and clinicians, he said.
The FDA is also exploring what steps in can take to spur innovation in medical devices. The agency’s Breakthrough Device Program could be used to improve patient access to innovative new devices and patient safety at the same time. In addition, a similar program just for innovations in device safety is under consideration, Gottlieb noted.
In the next few months, the agency is looking to develop scientific toolkits that can be used premarket so that developers can ensure their devices meet safety standards. As part of this effort, the FDA issued draft guidelines April 12 on a voluntary 510(k) pathway for moderate risk devices to more efficiently demonstrate safety and effectiveness and for device makers to demonstrate their products are safer than other technologies on the market.
The FDA is also working to establish a National Evaluation System for Health Technology (NEST), which would be a surveillance and evaluation system operated by a public-private partnership.
“[NEST] will facilitate timely detection of potential safety risks that wouldn’t otherwise be identified as quickly, or at all,” Gottlieb related.
The action plan describes how the FDA will support development of NEST. As part of its fiscal year 2019 budget, the agency is seeking additional funding to turn NEST into a more active surveillance tool.
“Medical device safety is a key priority for the FDA. We’re committed to protecting American patients by minimizing avoidable risks and advancing device technologies that are delivering growing benefits,” Gottlieb concluded.