AHA calls for more oversight of medical device cybersecurity as FDA outlines plans to modernize approvals

The American Hospital Association wants the Food and Drug Administration to ramp up efforts to ensure medical device manufacturers minimize the risks of a cyberattack

In response to a request for information (PDF) from the FDA about ways the agency can reduce regulatory burdens, Ashley Thompson, AHA’s senior vice president of public policy analysis and development, highlighted the vulnerabilities associated with outdated medical equipment that can have a detrimental effect during a global attack such as WannaCry.

Thompson added that despite pre-market and post-market guidance released by the FDA regarding cybersecurity standards, “device manufacturers have yet to resolve concerns, particularly for the large number of legacy devices still in use.” Instead, she advocated for “clear measurable expectations” for preparing for and responding to an attack.

“Manufacturers must be held accountable to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge,” she wrote (PDF).

RELATED: House committee calls on HHS to improve medical device cybersecurity with supply chain transparency

Meanwhile, FDA Commissioner Scott Gottlieb, M.D., said the agency plans to release new guidelines in the coming months aimed at modernizing the regulatory approval process for medical devices, known as the 510(k) pathway. That process has “remained largely unchanged since it was first implemented 40 years ago,” he wrote in a blog post.

By issuing draft guidance in early 2018, the FDA plans to create a voluntary alternative pathway that allows for more flexibility as long as manufacturers meet certain safety and performance criteria.

“This pathway will allow more flexibility to use more modern criteria as the reference standard, and permit comparisons to standards that more closely approximate the kind of novel technology we’re being asked to evaluate,” he wrote in a blog post.

RELATED: After a 6-year wait, FDA’s clinical decision support guidelines get a mixed reaction

Although he did not specifically address cybersecurity concerns, he added that the FDA also plans to release separate draft guidance outlining the factors the agency should consider when assessing acceptable uncertainty and the pre-market and post-market approval process. Those guidelines will allow the FDA to push forward innovative technology, he argued.

There has been some debate regarding how the FDA should approach cybersecurity. Manufacturers have pushed for industry-led standards that provide the flexibility for innovation, while some lawmakers have sponsored legislation supporting minimum testing requirements and advocated for manufacturers to submit a “cyber report card.”

In the House, Republican lawmakers have sponsored a bill that would require the FDA to set up a working group of cybersecurity experts to create a voluntary framework for device cybersecurity.