US needs cyber-savvy doctors as connected device use rises, FDA panel says

Thinking about medical device cybersecurity risk is a little like considering a potential airplane crash, […]

Thinking about medical device cybersecurity risk is a little like considering a potential airplane crash, Thermo Fisher Scientific cybersecurity researcher Jay Radcliffe told FDA’s Patient Engagement Advisory Committee Tuesday.
The impact if the risk played out could be high, but the probability of it being realized is low.
Unlike a plane crash, it’s usually difficult for patients to conceptualize these risks, which underscores the importance of training healthcare providers in cybersecurity to help guide patients, presenters and panelists advised the agency.

And the fact that risks are difficult to quantify or mitigate doesn’t change the responsibility FDA and manufacturers have to inform patients and providers of all known vulnerabilities through well-tailored communications, the panel said.

Often, patients’ most trusted caregivers lack the expertise to help them engage safely with their connected devices. It’s rare for a professional to have a high degree of both clinical and cybersecurity knowledge, said presenter Kevin Fu, an embedded security researcher and associate professor at the University of Michigan. “Not many students are able to survive that kind of rigorous training,” he told the panel.
Still, panelist Mondira Bhattacharya, VP of pharmacovigilance at MyoKardia, said cyber training ought to be increasingly incorporated into medical, pharmacy and nursing school curriculums, particularly in device-heavy specialties like cardiology or nephrology.
Better training in healthcare organizations would allow for more thorough informed consent processes, which will become even more important as the availability of non-connected devices to patients declines, said presenter Christian Dameff, medical director of cybersecurity at UC San Diego Health.
Researchers lack good data on how often medical devices are hacked, but that awareness could be improved, Dameff said, as better informed patients become more aware of signs of adverse events.
Despite some concern from FDA about unnecessarily burdening a patient with too many communications, the panel resoundingly agreed that regulators have a duty to inform patients of known device vulnerabilities, even if a mitigation is not yet available. FDA’s knowledge could factor into a benefit-risk analysis so it ought to be shared across many different channels, the panel said.
As for how messages are framed and how frequently they’re sent — it’s not a one-size-fits-all solution, the committee said. Situations vary by device type and disease state as well as by a person’s internet connectivity, age and ability. Input from any given patient population should be included in FDA’s development of tailored strategies, panelists said.
Original Article: (