The US Food and Drug Administration (FDA) plans to tackle security issues related to medical devices and has released a plan of action it means to implement in the near future.
Broadly, plan is as follows:
- Establish a robust medical device patient safety net in the US
- Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations;
- Spur innovation towards safer medical devices;
- Advance medical device cybersecurity; and
- Integrate CDRH’s premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety.
Medical device cybersecurity
Among the more specific actions when if comes to pushing for greater medical device cybersecurity, the FDA says it is thinking about requiring firms to:
- Make their devices capable of being updated and patched
- Provide both to the FDA and medical device customers and users with a “Software Bill of Materials,” which will include details about the software running on the device so that users can “better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities.”
Fixing vulnerabilities in a timely manner and propagating the fixes to the customers and users is also important, and to that end the FDA aims to push firms to adopt policies and procedures for coordinated disclosure of vulnerabilities.
It is also looking into creating a new public-private partnership that would complement its current device vulnerability coordination and response mechanisms.
“The CyberMed Safety (Expert) Analysis Board (CYMSAB) would encompass a broad range of expertise (including hardware, software, networking, biomedical engineering, and clinical) in order to integrate critical patient safety and clinical environment dimensions into the assessment and validation of high-risk/high-impact device vulnerabilities and incidents,” the FDA noted.
“Its functions would include assessing vulnerabilities, evaluating patient safety risks, adjudicating disputes, assessing proposed mitigations, serving in a consultative role to organizations navigating the coordinated disclosure process, and serving as a ‘go-team’ that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request. The operationalization of a CYMSAB would be an invaluable asset to FDA, industry, and healthcare facilities in averting and responding to cybersecurity vulnerabilities and exploits.”