[BreachExchange] Should the FDA Create a Cybersecurity Measuring Stick?

[Audrey McNeil]

https://www.databreachtoday.com/should-fda-create-
cybersecurity-measuring-stick-a-11074


The Food and Drug Administration should consider some sort of measuring
stick when assessing a vendor's cybersecurity culture to determine if it
qualifies for the agency's proposed fast-path program for premarket
approval of "software as a medical device" products, some industry
stakeholders say.

The FDA accepted comments on its "working model" for a SaMD
precertification program through May 31.

The agency will review and incorporate the public feedback as it refines
its plans for the proposed program.

The federal Regulations.gov website shows that FDA has received more than
60 comments on its plans for a precertification program to fast-path
certain SaMD products for premarket approval. Those comments also include
feedback on the FDA's initial plans announced in 2017 for a pilot SaMD
vendor precertification program.

Fast-Path Plan for Product Approval

The FDA is proposing to pre-certify vendors of certain medical device
software, including some mobile apps, allowing the companies to skip the
agency's much more rigorous premarket approval process for hardware-based
medical devices.

The proposed voluntary program is for review of software that is "intended
to treat, diagnose, cure, mitigate or prevent disease or other conditions."
Currently, such software faces the same regulatory review as medical device
hardware.

The FDA says its current regulation of medical device hardware "is not
well-suited for the faster, iterative design, development and type of
validation used for SaMD," according to the agency's working model document
issued in April (see FDA Unveils Plan for Software as Medical Device
Review).

The FDA proposes to evaluate vendors for precertification based on five
"culture of quality and organization excellence principles." In addition to
cybersecurity responsibility, the FDA would also evaluate a company's
approach to product quality, patient safety, clinical responsibility and
whether it has a "proactive culture."

NIST Framework

In its comments, the American Medical Association says the FDA should use
"relevant existing standards" where possible and should account for varied
size of applicants when assessing vendors.

"An example ... would be the National Institute of Standards and
Technology's Framework for Improving Critical Infrastructure
Cybersecurity," the AMA writes.

"The framework illustrates that there are widely recognized 'gold standard'
frameworks, processes, and programs available to support the proposed
excellence principle on cybersecurity responsibility," the AMA notes.
"NIST's framework is an analog for the overarching FDA goal to balance
flexible excellence principle demonstration with the need to ensure an
appropriate level of consistency and structure across organizations seeking
precertification."

Security Certifications

Other commenters also suggested the FDA consider a vendor's implementation
of industry standards - including the use of accepted cybersecurity
frameworks - as well as various security certifications as an indication of
cybersecurity responsibility.

"We strongly support the FDA's intent to consider certifications already in
place ... which supports a least burdensome approach [for product
precertification]," writes medical device maker Roche Diagnostics in its
comments.

"For example, an organization's existing ISO certifications of their
quality systems; company history, experience, and/or audit results;
compliance with existing standards and regulations; and cybersecurity
certifications - for example HITRUST," should be considered, writes Roche
Diagnostics, a participant in the FDA's precertification pilot program.

Lifecycle Approach

In its comments, the Healthcare Information and Management Systems Society
stresses that the FDA should take a "holistic" approach to assessing a
vendor's approach to cybersecurity.

"Effective cybersecurity requires comprehensive processes to ensure
security risk mitigation occurs at every stage of the product lifecycle,"
HIMSS writes.

HIMSS recommends the FDA "separate health/medical risk determination and
cybersecurity assessments" in evaluating a vendor for participating in a
precertification program for SaMD products.

"For the purposes of the precertification program, the medical risk of the
intended use of the device should be the sole element considered for
eligibility of a particular product to follow the accelerated pathway to
market," HIMSS writes.

HIMSS recommends that the FDA "take a holistic approach" to the
cybersecurity assessment not just of individual products, but as part of
the criteria for a manufacturer's demonstration of a culture of excellence
for their inclusion in the precertification program in the first place.

"Even low-risk products can be compromised and misused in ways that elevate
their overall risk," HIMSS writes.

"Strong security requires more than just the implementation of certain
features in a particular product and begins with product conception and
design and continues through surveillance and updates once a product is
delivered to the end-user. These are organizational characteristics that a
manufacturer must possess at all levels, and a strong culture of excellence
in this area should lead to meaningful risk assessment and mitigation
within individual products."

More Transparency Needed

But aside from the FDA collecting comments on its proposed plans for a SaMD
precertification program, many healthcare industry stakeholders are growing
increasingly concerned about a continuing lack of openness from many
medical device makers when it comes to the cybersecurity of their products,
says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety
and Security consortium.

"With a few exceptions ... as a group - our constituents, including key
stakeholders like security researchers and healthcare systems - are not
seeing a robust level of transparency about cybersecurity from
manufacturers - nor the push from FDA - that we'd like to see," Nordenberg
says. A lack of transparency from vendors about their medical device
cybersecurity practices could potentially impact the credibility of an FDA
precertification program, he adds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180614/45db1439/attachment.html>