FDA, DHS link arms on medical device cybersecurity, plus new agency guidance

The FDA and the Department of Homeland Security are teaming up on securing medical devices from cyberattacks, formalizing a long-standing relationship in the field.

The two federal agencies agreed to share additional information and collaborate more on evolving vulnerabilities, and to assist the healthcare sector to proactively respond when possible exploits are identified, including the use of ransomware or wider attacks on a health system.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients,” said FDA Commissioner Scott Gottlieb in a statement.

“But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone,” Gottlieb said. “Every stakeholder has a unique role to play in addressing these modern challenges.”

Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center, and will consult with the FDA for technical and clinical expertise.

“DHS has some of the top experts on control systems technology, and we look forward to continuing to leverage this expertise for the sake of improving the lives and safety of people across the country,” said Christopher Krebs, the department’s undersecretary for the national protection and programs directorate, citing its collaborations with the FDA over the past several years.

In the past, the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications have worked together to coordinate vulnerability disclosures, and have collaborated on DHS-led exercises simulating real-world cybersecurity attacks.

At the same time, the FDA published a new draft guidance (PDF), updating the agency’s 2014 recommendations to manufacturers on cybersecurity considerations for device design, labeling and documentation, including requirements for premarket submissions.

It introduces two tiers of devices, grouped by potential harm to patients: those with standard cybersecurity risks, including software, and those carrying elevated risks, such as implanted pacemakers, defibrillators, dialysis machines, insulin pumps and neurostimulation devices.

It also recommends that companies draw up a “cybersecurity bill of materials,” listing commercial or off-the-shelf software and hardware components that could be susceptible to vulnerabilities, to aid in purchasing controls.

The FDA also published its fall 2018 regulatory agenda, outlining plans for federal rulemaking to modernize and “create brighter lines between products we actively regulate, and those that don’t fall under our purview” when it comes to digital health, Gottlieb said.

Other plans include establishing a new category of over-the-counter hearing aids, following the clearance of Bose’s consumer-centric version, as well as strengthening the communication of breast density information in mammography services and issuing a final ban on electrical stimulation devices used for self-injurious and aggressive behaviors.

Source