To keep pace with emerging cyber threats, the Food and Drug Administration (FDA) is seeking congressional approval to develop a team of experts that could investigate cybersecurity incidents involving medical devices, while also adding new requirements for manufacturers.
Medical device cybersecurity is one of five focus areas outlined in a Medical Device Safety Action Plan released (PDF) by the FDA on Tuesday. Part of that effort includes asking Congress for the authority and funding to establish a CyberMed Safety (Expert) Analysis Board (CYMSAB), described as a “go-team” that can investigate suspected attacks at the request of a manufacturer or the FDA.
The public-private team of experts—including clinicians and biomedical engineers—would also assist with high-risk device vulnerabilities, evaluate patient safety risks, adjudicate disputes and consult with manufacturers.
The FDA said funding for the CYMSAB would be included as part of the $70 million requested by the FDA for fiscal year 2019 to advance digital health technology. FDA spokesperson Angela Stark said the agency does not have figures associated with specific line items like the CYMSAB available to share at this time.
The @US_FDA will seek congressional authority to require new medical devices:— Beau Woods (@beauwoods) April 17, 2018
- to be patchable
- to have a software bill of materials
- to be covered by a coordinated vulnerability disclosure policy. https://t.co/3COmDLdYpq pic.twitter.com/GwietJZrOO
The FDA is also considering notable changes to premarket approvals that would require device makers to include the ability to easily patch products and submit a “bill of materials” to help users better manage networked devices. The agency is also considering a postmarket requirement for manufacturers to adopt policies and procedures for “coordinated disclosure of vulnerabilities as they are identified.”
This week, the Healthcare Supply Chain Association also issued new guidelines (PDF) for medical device cybersecurity terms of services recommending manufacturers include a bill of materials with each device along with the product's lifecycle.
“Like computers and the networks they operate in, medical devices can be vulnerable to security breaches,” FDA Commissioner Scott Gottlieb, M.D., said in a statement. “Exploitation of device vulnerabilities could threaten the health and safety of patients.”
Device cybersecurity has been a lingering concern for years, but gained more attention recently from lawmakers and providers, particularly after the FDA issued its first cybersecurity recall last year with a firmware update for Abbott-manufactured pacemakers.
There has been some debate over how the FDA should approach the issue. Legislation submitted last year have included both sides of the spectrum: A House bill called for a voluntary approach, while a Senate bill included minimum testing requirements. For its part, the medical device industry has said it wants to take the lead in developing cybersecurity standards.