CDRH Committee Discusses Challenges in Communicating Cybersecurity Concerns

The US Food and Drug and Administration’s (FDA) Center for Devices and Radiological Health (CDRH) on Tuesday convened its Patient Engagement Advisory Committee (PEAC) to discuss the difficulties and challenges in communicating cybersecurity safety risks and threats.

Since 2013, CDRH has released safety communication related to eight device cybersecurity concerns, although the center notes that issues are customarily disclosed when there is a software update to fix an issue. For instance, three safety communications related to Abbott’s (formerly St. Jude Medical) implantable cardiac devices included such fixes.

“Unlike other safety messages, cybersecurity concerns pose the unique challenge of communicating potential risks for which the probability and/or likelihood of occurrence of a successful exploit is not known,” CDRH says in a report issued alongside the committee meeting.

And in terms of communicating the potential harms, CDRH notes that phrasing in terms of probabilities or likelihoods may not be the most appropriate approach. In addition, trying to mitigate risks while a definitive software update or other fix is deployed can introduce other risks, such as halting the use of a device that is beneficial to the patient.

“Currently, there is no suitable model or mathematical formulation that would enable risk quantification of a medical device cybersecurity vulnerability extrapolating to risk of potential patient harm. The absence of such a construct impedes informed decision making between patients and providers in determining whether the benefits of a patient receiving device updates for cybersecurity concerns outweighs the potential risks of undergoing the updates,” CDRH says.

Discussions at the meeting centered on who should be communicating the cybersecurity vulnerabilities (some seemed to agree that a doctor should not be the one while others suggested device manufacturers should provide updates), whether FDA should work further with its international colleagues on cybersecurity (FDA and Health Canada co-chair IMDRF’s work item on developing harmonized cybersecurity principles) and whether patients should be made aware of any vulnerabilities prior to an implantation or new use of a device.

“I don’t think we should wait until the risks are known to act,” temporary non-voting committee member Rajiv Rimal, professor at George Washington University, said.

On the question of what FDA should consider as a “trigger” to communicate about devices affected by a cybersecurity vulnerability, committee member and health communication consultant Bennet Dunlap said: “We do better with knowledge.” He called on any known risks to be disclosed, especially prior to implantation of a device.

But others suggested that whether a risk is identified or communicated to patients should depend on the type of device.

Earlier in the day, CDRH and industry also offered their takes on when and why they may issue cybersecurity communications after vulnerabilities are discovered and risks are analyzed.

CDRH Patient Engagement Advisory Committee