The U.S. Food and Drug Administration (FDA) recently released a Medical Device Safety Action Plan detailing its current initiatives and future plans to ensure the safety of medical devices while promoting innovation throughout the entire lifecycle of a device. As medical devices become more technologically advanced, the FDA is increasingly concerned about the threat of security breaches involving those devices. One major concern is the vulnerability of devices’ software components, which creates the risk of a remote, multi-patient attack. The FDA previously issued guidance on cybersecurity concerns that should be considered in the design and development of medical devices, and on the mitigation of risk once medical devices are placed on the market. Despite those prior efforts, it appears that more needs to be done to maintain the security of medical devices. In addition to planning to update its prior guidance, one FDA proposal would require firms involved in the development and design of medical devices to ensure that the devices have the capability to implement updates and patches to address potential security concerns.
In addition, the FDA proposes that medical device manufacturers be required to provide to the FDA, customers, and users of the devices a list of all of the devices’ software components in order to better manage and streamline the mitigation of vulnerabilities in the software once the device is on the market. The FDA is also considering a process whereby such companies will, in a coordinated manner, disclose vulnerabilities found in the software once the device is on the market.
Finally, the FDA is exploring the creation of a “CyberMed Safety (Expert) Analysis Board” whose functions will include “assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations, serving in a consultative role to organizations navigating the coordinated disclosure process, and serving as a ‘go-team’ that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request.”
The FDA is accepting feedback on its Medical Device Safety Action Plan at www.regulations.gov through the public docket, FDA-2018-N-1315.