Ahead of a new US Food and Drug Administration (FDA) draft guidance set to be released in FY 2019, lead of cybersecurity initiatives at the Center for Devices and Radiological Health (CDRH) Suzanne Schwartz previewed policy changes at RAPS’ 2018 Convergence.
The US healthcare industry has become a target for cyberattacks over the past few years and this has been partly linked to inadequate device designs, which must undergo regulatory premarket reviews to mitigate cyber vulnerabilities with patches or other interventions.
In light of recent cyber-attacks and as connected devices play an increasing role in care delivery and become more sophisticated, FDA saw a need to update the policies set forth in the premarket guidance finalized
in 2014. The “plan in place” was first discussed
by Schwartz, who also serves as associate director for science and strategic partnerships, at an Association for the Advancement of Medical Instrumentation conference in March.
From integrated policies on threat modeling and cybersecurity-related design inputs for devices to new incentives around information sharing to foster a collaborative, coordinated approach on vulnerability disclosures, the new draft guidance will revamp a wide range of premarket policies.
Coordinated vulnerability disclosures is an approach that is “better poised to addressing vulnerabilities” and has become increasingly important for FDA, Schwartz said during a cybersecurity session on Friday at RAPS’ Convergence in Vancouver. The updated draft guidance will put significant emphasis on this issue.
Another major policy change that will be introduced via draft guidance and coincides with the theme around greater coordination aims to clarify that cybersecurity is a shared responsibility among all stakeholders that spans across the entire medical device ecosystem, Schwartz noted.
These emerging policy themes are discussed in a new report from the Medical Device Innovation Consortium, with cybersecurity being one of the several projects it is tackling per FDA’s request. The report
on coordinated vulnerability disclosures (CVD), which is largely based on interviews conducted by a law firm and a consulting firm, offers several reasons for medical device manufacturers to develop CVD policies, including legal and commercial benefits. It also provides factors to consider in developing internet-based portals to receive vulnerability reports.
Adoption of CVD policies and these online portals will enable a communication bridge where patchability and updatability can be consistently documented, Schwartz said. This will also allow for greater efficiency, timeliness and predictability in more proactive responses to vulnerabilities.
Other new areas the draft guidance will seek to address include potential disruption to clinical care from impacts to critical infrastructure as well as remote, multi-patient cyber-attacks. FDA is also considering whether additional authorities are needed for new industry requirements, noted Schwartz. These requirements would include building patchability and updatability capabilities into product designs, developing a software bill of materials and adopting CVD policies.
Click on this link
for more news coverage on RAPS' 2018 Convergence from Regulatory Focus