US Regulators Propose Expanded Medical Device Cybersecurity Approach
EMERGO SUMMARY OF KEY POINTS:
- US FDA has proposed various measures to boost cybersecurity risk mitigation in a new Medical Device Safety Action Plan.
- The agency has also proposed merging pre- and post-market units of its Center for Devices and Radiological Health (CDRH) division.
- A proposed new Cybermed Safety (Expert) Analysis Board would coordinate cybersecurity risk management efforts between industry and FDA, according to the new plan.
The US Food and Drug Administration is considering several new measures to address medical device safety and cybersecurity, including a new public-private coordinating board to evaluate high-risk, high-impact connected devices.
The cybersecurity and related measures make up the agency’s new Medical Device Safety Action Plan, developed to focus also on issues including streamlined post-market processes; foster innovation to boost device safety; and merge the Center for Devices and Radiological Health’s (CDRH) premarket and post-market branches to advance a “Total Product Lifecycle” or TPLC approach to device evaluation and oversight.
Cybersecurity improvements and the CYMSAB
Keeping pace with evolving cybersecurity threats and vulnerabilities is a key component of the agency’s Medical Device Safety Action Plan.
Among device cybersecurity improvements FDA proposes in the plan is the formation of the CyberMed Safety (Expert) Analysis Board (CYMSAB). The board would comprise experts from hardware, software, networking, clinical and biomedical engineering backgrounds to push integration of patient safety and clinical environment factors into assessments and validations of high-risk devices and incidents. CYMSAB responsibilities would include:
- Vulnerability assessments
- Evaluating patient safety risks
- Dispute adjudication
- Proposed mitigation assessments
- Consulting support for organizations undergoing the coordinated disclosure process
- Investigating suspected and confirmed device compromises or issues in the field upon FDA or manufacturer request
(The Trump Administration’s proposed federal budget for the 2019 fiscal year includes funding to create the CYMSAB, as well.)
Additional cyber-related proposals in the FDA Medical Device Safety Action Plan include changes to pre- and post-market requirements:
- Manufacturers would have to build in capabilities for updates and patches to their device designs, and submit data pertaining to these capabilities in their premarket applications to FDA;
- Manufacturers would also have to develop “Software Bills of Materials” to be submitted to FDA during premarket reviews and also provided to customers and end-users to facilitate better management of networked devices and technologies;
- Premarket guidance on device cybersecurity would be updated to help mitigate moderate risks such as ransomware campaigns as well as significant risks posed by vulnerabilities that could cause multi-patient incidents;
- Establishing post-market authority requiring manufacturers to implement policies and procedures to coordinate disclosure of cyber vulnerabilities as they become known.
In addition to beefing up cybersecurity risk mitigation policies, FDA would also combine the pre- and post-market offices of its CDRH division in order to focus more on devices’ total product lifecycles (TPLC), which the agency argues will enhance safety oversight.
“Historically, FDA’s medical devices center, CDRH, has been organized largely according to the stage of the product’s life cycle—premarket review, postmarket surveillance, and compliance—rather than holistically by the type of product being regulated,” states the Medical Device Safety Action Plan.
Such an organization allowed for specialization according to function, but limited the regulators’ capacity to effectively oversee a rapidly evolving and innovative device sector.
According to the Medical Device Safety Action Plan, FDA would reorganize CDRH into a single unit with seven offices focused on specific device types; each of these smaller offices would manage premarket review, post-market surveillance, quality and enforcement efforts. CDRH would also launch a new office responsible for setting clinical evidence policy.
Emergo will provide additional updates on the FDA Medical Device Safety Action Plan as the agency moves toward implementation.