FDA looks to define ‘triggers’ for medical device cybersecurity warnings
- FDA wants to strengthen its protocol for deciding when a medical device cybersecurity vulnerability should trigger a warning from regulators, the agency indicated in documents prepared ahead of its Patient Engagement Advisory Committee Tuesday. The best course of action may vary across implanted, connected or worn devices, it said.
- The Center for Devices and Radiological Health traditionally has taken a proactive approach to alerting patients and healthcare providers to potential cyber risks, it said, even in some cases when the probability of exploitation is unknowable. But making such calls isn’t always straightforward. “[I]n the absence of an effective way to reduce risk, prematurely communicating can increase opportunity for exploit by highlighting a potentially unknown issue and, by extension, increasing potential exposure to harm,” the agency wrote.
- Other questions for the committee are whether better cybersecurity education should be required for patients when a physician prescribes a device, how to best reach people with limited internet access, and which channels of communication patients prefer. The panel meeting happens Tuesday in Gaithersburg, Maryland.
FDA’s inquiries boil down to when and how to best inform patients to potential cybersecurity risks.
“FDA’s approach regarding medical device cybersecurity, by necessity, has been anticipatory, forward-leaning and proactive as vulnerabilities are identified and verified before exploit, rather than waiting for a signal or indicator of harm becoming manifest,” the agency wrote in an executive summary. “This is an important distinction to note compared to the triggers that FDA uses to initiate other, non-cybersecurity-related safety communications.”
Panelists will be asked to discuss whether FDA should communicate upon identification of a vulnerability or whether it’s better to wait until a risk reduction measure is available. FDA said definitive fixes can take months to develop and test, and, while the agency recommends short-term risk reduction measures, they can also introduce new risks like stopping use of a device that may benefit a patient.
FDA shares responsibility for disseminating information about medical device cybersecurity risks with several other organizations including the Department of Homeland Security. DHS issued 63 advisories between Oct. 23, 2013 and March 31, 2019, representing each time it became aware of a medical device cybersecurity vulnerability.
FDA, in contrast, only issues notifications for cases it believes could present a safety risk to patients. The agency issued eight such communications between June 13, 2013 through June 27, 2019. Three of the eight were related to St. Jude Medical’s implantable cardiac devices, FDA said in its pre-meeting briefing. Two cybersecurity safety communications this year targeted the potential for tampering in certain Medtronic insulin pumps, cardiac implantable cardioverter defibrillators, and cardiac resynchronization therapy defibrillators.
Once an issue is deemed worth flagging to patients, how to best communicate risk through FDA’s website, emails, or other channels remains a work in progress for the agency. Social media, primarily mobile Facebook, is generating an increasing amount of traffic to CDRH safety communications, the agency reported.
Obstacles to quality communication include audience health literacy, the effects of stress experienced by target audiences and language barriers, regulators wrote. A 2019 Pew Research Center estimate found 10% of U.S. adults do not use the internet, complicating matters.
Acting FDA Commissioner Ned Sharpless is slated to speak to the panel Tuesday morning. Other scheduled presenters include BD’s associate director of cybersecurity incident response, Nastassia Tamari, and Thermo Fisher Scientific cybersecurity researcher Jay Radcliffe.
Pegging cybersecurity as a top-five priority in 2018’s Medical Device Safety Action Plan, FDA said it planned to consider requiring firms to incorporate patching capability into product design and to provide a software bill of materials to the agency, customers, and users to help streamline postmarket mitigations. It also issued updated draft guidance last October on the content of premarket submissions for cybersecurity management.
On the postmarket side, regulators said they would consider requiring firms to adopt policies for coordinated disclosure of vulnerabilities upon identification and explore creation of a public-private team of experts in hardware, software, networking, biomedical engineering, and clinical care that FDA or industry could ask to investigate suspected or confirmed cases of device compromise.