[BreachExchange] Reducing Cybersecurity Vulnerabilities Part of FDA Action Plan

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 20 20:25:02 EDT 2018


https://healthitsecurity.com/news/reducing-cybersecurity-
vulnerabilities-part-of-fda-action-plan

 The Food and Drug Administration (FDA) is asking Congress for additional
authority and funding to expand its efforts to improve medical device
safety, including reducing cybersecurity vulnerabilities in devices, said
FDA Commissioner Scott Gottlieb in announcingthis week a new medical device
safety action plan.

As part of those efforts, the FDA wants to set up a CyberMed Safety
(Expert) Analysis Board, which would be a public-private partnership
between the FDA and devices makers to complement existing device
vulnerability coordination and response mechanisms.

The board would include individuals with expertise in hardware, software,
networking, biomedical engineering, and clinical environments. It would
assess vulnerabilities, evaluate patient safety risks, adjudicate disputes,
assess proposed mitigations, serve as consultants to organizations
navigating the coordinated disclosure process, and function as a “go-team”
that could be deployed in the field to investigate a suspected or confirmed
device compromise.

“The operationalization of [the board] would be an invaluable asset to FDA,
industry, and healthcare facilities in averting and responding to
cybersecurity vulnerabilities and exploits,” the action plan observed.

Funding for the board would come out of the Expand the Digital Technology
Industry program in the Trump administration’s fiscal year 2019 budget
proposal submitted to Congress earlier this year.

In addition, the FDA is considering requiring device makers to build in a
capability to update and patch device security into product design and to
provide data on this capability to the agency as part of the device’s
premarket submission.

Device makers would also be required to provide a “software bill of
materials” to the FDA as part of premarket submission. This would enable
device customers and users to better manage their network assets and be
aware of which devices may have vulnerabilities as well as assist in
postmarket mitigation efforts.

The FDA plans to update its premarket guidance on medical device
cybersecurity to protect against moderate risks, such as ransomware, and
major risks, such as remote exploitation of devices that results in a
catastrophic attack on many patients.

The agency is also considering new postmarket authority to require firms to
adopt policies and procedures to coordinate disclosure of vulnerabilities
as they are identified.

“Like computers and the networks they operate in, medical devices can be
vulnerable to security breaches. Exploitation of device vulnerabilities
could threaten the health and safety of patients,” Gottlieb observed.

The FDA is considering requiring additional information on labels for
physicians, as well as more training and user education, explained
Gottlieb. These new rules could be issued under an existing umbrella
regulation, he noted.

In the action plan, the FDA describes key steps it plans to take in the
following areas:

• Establish a medical device patient safety net

• Explore regulatory options to streamline implementation of postmarket
mitigations

• Spur innovation towards safer medical devices

• Improve medical device cybersecurity

• Integrate the Center for Devices and Radiological Health's premarket and
postmarket offices and activities to expand the use of a total product life
cycle (TPLC) approach to device safety

Gottlieb explained that the center is integrating its premarket and
postmarket offices to optimize decision making about medical devices. Some
of the risks inherent in medical devices are better understood once the
devices have been widely distributed to patients and clinicians, he said.

The FDA is also exploring what steps in can take to spur innovation in
medical devices. The agency’s Breakthrough Device Program could be used to
improve patient access to innovative new devices and patient safety at the
same time. In addition, a similar program just for innovations in device
safety is under consideration, Gottlieb noted.

In the next few months, the agency is looking to develop scientific
toolkits that can be used premarket so that developers can ensure their
devices meet safety standards. As part of this effort, the FDA issued draft
guidelines April 12 on a voluntary 510(k) pathway for moderate risk devices
to more efficiently demonstrate safety and effectiveness and for device
makers to demonstrate their products are safer than other technologies on
the market.

The FDA is also working to establish a National Evaluation System for
Health Technology (NEST), which would be a surveillance and evaluation
system operated by a public-private partnership.

“[NEST] will facilitate timely detection of potential safety risks that
wouldn’t otherwise be identified as quickly, or at all,” Gottlieb related.

The action plan describes how the FDA will support development of NEST. As
part of its fiscal year 2019 budget, the agency is seeking additional
funding to turn NEST into a more active surveillance tool.

“Medical device safety is a key priority for the FDA. We’re committed to
protecting American patients by minimizing avoidable risks and advancing
device technologies that are delivering growing benefits,” Gottlieb
concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180420/7ecd22e0/attachment.html>


More information about the BreachExchange mailing list