Cybersecurity Risks in Medical Devices Discussed at Recent FDA Meeting
Tuesday, September 24, 2019
FDA Cybersecurity Risks Medical Devices
Print Mail Download i

The Patient Engagement Advisory Committee to the Food and Drug Association (FDA) met recently to discuss cybersecurity in medical devices. Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features designed to improve healthcare and increase providers’ ability to treat patients. However, as medical devices become more connected and join the internet of things, cybersecurity risks increase. As the summary of the meeting indicates, preserving the benefit of the devices requires both continuous vigilance as well as timely and effective communications to users about evolving cybersecurity risks.

The Committee focused on factors for consideration by the FDA and industry when communicating cybersecurity risks to patients and the public, the role of health care providers and other stakeholders in communicating such risks to patients, and concerns patients have about changes to their devices to reduce cybersecurity risks.

Overall, the Committee members generally concluded that there is not one blanket approach that would work for all patients. However, they highlighted three strategic elements the FDA and industry should consider in conveying cybersecurity risks to patients when the probability of exploitation is not known: (1) explaining the unknown factor; (2) understanding patients’ fear of the potential unknown and having those concerns addressed and factored in well in advance of the preapproval process; and (3) a balanced discussion between risk and benefits, particularly for lifesaving devices. The Committee felt the FDA could use an alert system similar to that used by other agencies (such as using green, yellow and red) to communicate the different levels of cybersecurity threat. The Committee also recommended that the FDA explore using Unique Device Identifiers (UDIs) to deliver targeted risk messages to patients who use particular devices.

The Committee believed it is important for patients to hear about a cybersecurity threat even before there is a risk reduction measure available, both for transparency and because patients might be able to detect potential harms. The FDA should also consider if and when to make the information public, given that there could be “bad actors” who take advantage of the risk upon learning about it through the media.

It will be interesting to see what the FDA does in response to the Committee’s recommendations, and whether guidance from the FDA will be forthcoming.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins