The agency will soon release a new draft of its premarket guidance document to combat the growing threat of cyber attacks. In addition, the agency announced multiple partnerships with manufacturers, hospitals and more — as well as the release of a cybersecurity playbook, and the possibility of a new center dedicated to cybersecurity.
The clear message from the agency is that a multi-pronged approach, with buy-in from all involved, is critical to staying ahead of bad actors.
The FDA’s moves come on the heels of a report from the U.S. Dept. of Health and Human Services’ Office of Inspector General that found that FDA needed to take additional steps to ensure medtech cybersecurity.
Here are the key takeaways from the press release:
- A new draft guidance updates the existing documents from 2014. The new version will highlight the utility of providing customers and users with a “cybersecurity bill of materials” – a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities. Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats.
- The agency signed two significant memoranda of understanding with multiple stakeholders to create sharing analysis organizations (ISAOs). These groups, which include manufacturers, hospitals, health care providers, cybersecurity researchers and government entities, will allow increased information sharing and transparency around cybersecurity risks. Importantly, FDA reiterated to manufacturers that joining ISAOs is a signal to the agency that they’re being proactive in addressing cybersecurity. Although there is no requirement as of yet, it is clear that CDRH will view such participation as a positive step.
- The MITRE Corporation, with support from the FDA, released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. The playbook describes the types of readiness activities that’ll enable healthcare delivery organizations (e.g., hospitals) to be better prepared for a cybersecurity incident involving their medical devices.
- FDA also developed its own internal playbook to help agency staff address cybersecurity threats, vulnerabilities and incidents. The internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, health care systems and ultimately, patients.
- Finally, FDA said it is taking steps to continue building the medical device cybersecurity program. FDA’s Fiscal Year 2019 Budget proposed to create a Center of Excellence for Digital Health. This Center of Excellence would help establish more efficient regulatory paradigms, consider the building of new capacity to evaluate and recognize third-party certifiers, and support a cybersecurity unit to complement the advances in software-based devices.