FDA is tackling cybersecurity threats head-on and expects industry to do the same. Earlier this month, FDA commissioner Scott Gottlieb, M.D., announced a series of developments designed to keep pace with evolving cybersecurity threats to medical devices. Industry should take note, as these developments detail the agency’s current expectations for companies preparing to combat future threats. As part of FDA’s effort to get in front of these issues before they happen, it launched its first ever Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the “Playbook”). FDA also announced two memoranda of understanding designed to improve information sharing about cybersecurity risks. Finally, just last week, FDA released an update to guidance from 2014 concerning premarket expectations for devices susceptible to cybersecurity threats.
The Playbook provides a framework for healthcare providers to plan and respond to cyberattacks that target medical devices. It was developed by MITRE Corporation under a federally-funded research and development contract with FDA. The Playbook is geared toward multiple audiences, including clinicians, healthcare technology management professionals, and IT staff, as well as device manufacturers and maintenance contractors. Targeting this broad audience highlights that effective responses to cybersecurity threats require multiple stakeholders working together to share information and increase transparency. The Playbook focuses on strategies for addressing large-scale, multi-patient threats and is not intended to give advice about day-to-day patches. It takes a regional approach, focusing on regional medical device preparedness and encouraging regional partnerships to help ensure patient safety is protected across a particular region. In addition to publishing the industry-directed Playbook, FDA developed its own internal playbook to help its staff address cybersecurity threats, vulnerabilities, and incidents when they happen.
Memoranda of Understanding
FDA also announced two memoranda of understanding aimed at bringing together multiple stakeholders to increase information sharing and transparency surrounding cybersecurity risks. The memoranda of understanding establish information sharing analysis organizations – or ISAOs – to analyze and disseminate important industry data about cyber threats. Although the memoranda are non-binding, FDA hopes that manufacturers will participate in these ISAOs and signal to customers that they take a proactive approach to addressing cybersecurity.
Just last Wednesday, an MOU between FDA and U.S. Department of Homeland Security (DHS) was released. It establishes a partnership between the two agencies designed to “lead to more timely and better responses to potential threats to patient safety.” As part of that partnership, DHS National Cybersecurity and Communications Integration Center (NCCIC) will continue to serve as the “central medical device vulnerability coordination center” while also communicating with FDA to address systemic cybersecurity risks and vulnerabilities.
Update to 2014 Guidance
Finally, last Thursday, FDA published a significant update to premarket guidance on cybersecurity that it had previously released in 2014. Once final, it will supersede the earlier guidance. The new guidance also contains a “cybersecurity bill of materials,” which keeps customers informed about potentially vulnerable hardware and software. FDA will also hold a public workshop on January 29-30, 2019 to discuss the draft guidance on premarket submissions for management of cybersecurity in medical devices.
Through these developments, FDA is recognizing that cybersecurity threats cannot be addressed by one particular stakeholder or one particular government agency alone. FDA is also acknowledging that this space continues to evolve and constant dialogue is a must. Participants in that dialogue must include not only FDA and the public, but also every software developer and hardware manufacturer involved in bringing a device to market. We will continue to provide updates on legislative and regulatory activity affecting the connected medical device space.