An increasing number of medical devices, from pacemakers to insulin pumps, include components that could open them to cyber vulnerabilities. So will the Food and Drug Administration start taking into account the differences in these devices as the agency evaluates premarket submissions?
“Over time as we accumulate experience with the provided cybersecurity risk assessments, there will be a repertoire that we identify with and then look for in other submissions,” Seth Carmody, a staff fellow with FDA’s Center for Devices and Radiological Health.
Carmody made the comments during a 1.5-hour webinar Wednesday during which members of industry posed specific questions about medical device cybersecurity guidance released this month. The event comes a week after Reuters reported that the Department of Homeland Security was investigating at least two dozen cases of possible cybersecurity flaws in medical devices.
Questions during the webinar dealt with a range of issues, including what the reporting requirements are for updating software, what kinds of devices the guidance encompasses and how to include information about cybersecurity risk mitigation in application submissions.
In the guidance, FDA said that manufacturers should incorporate specific controls within their products to combat cybersecurity risks, and they should factor in patients’ risks and the environment in which the device is used. The agency also indicated that device security falls to device manufacturers, health care facilities and patents alike.
Abiy Desta, from the Office of the Center Director at FDA’s Center for Devices and Radiological Health, in response to a question during the webinar, said that reviewers who evaluate premarket submissions receive training about guidances, and they have access to subject matter experts that can help with questions.
One caller asked how the new cybersecurity recommendations for medical devices aligned with the agency’s health IT draft framework, a report released earlier this year that includes a proposed strategy for maintaining security protections while still promoting innovation. The draft framework has a separate category for medical devices. The panel recommended that the caller reach out to officials involved with the framework.
The same caller lamented about having to follow cybersecurity recommendations from several agencies.