Cybersecurity Risks in Medical Devices Discussed at Recent FDA Meeting
The Patient Engagement Advisory Committee to the Food and Drug Association (FDA) met recently to discuss cybersecurity in medical devices. Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features designed to improve healthcare and increase providers’ ability to treat patients. However, as medical devices become more connected and join the internet of things, cybersecurity risks increase. As the summary of the meeting indicates, preserving the benefit of the devices requires both continuous vigilance as well as timely and effective communications to users about evolving cybersecurity risks.
The Committee focused on factors for consideration by the FDA and industry when communicating cybersecurity risks to patients and the public, the role of health care providers and other stakeholders in communicating such risks to patients, and concerns patients have about changes to their devices to reduce cybersecurity risks.
Overall, the Committee members generally concluded that there is not one blanket approach that would work for all patients. However, they highlighted three strategic elements the FDA and industry should consider in conveying cybersecurity risks to patients when the probability of exploitation is not known: (1) explaining the unknown factor; (2) understanding patients’ fear of the potential unknown and having those concerns addressed and factored in well in advance of the preapproval process; and (3) a balanced discussion between risk and benefits, particularly for lifesaving devices. The Committee felt the FDA could use an alert system similar to that used by other agencies (such as using green, yellow and red) to communicate the different levels of cybersecurity threat. The Committee also recommended that the FDA explore using Unique Device Identifiers (UDIs) to deliver targeted risk messages to patients who use particular devices.
The Committee believed it is important for patients to hear about a cybersecurity threat even before there is a risk reduction measure available, both for transparency and because patients might be able to detect potential harms. The FDA should also consider if and when to make the information public, given that there could be “bad actors” who take advantage of the risk upon learning about it through the media.
It will be interesting to see what the FDA does in response to the Committee’s recommendations, and whether guidance from the FDA will be forthcoming.