The FDA Finally Suggests Meaningful Action to Secure Medical Devices

by James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology

Healthcare depends on the crucial medical devices essential for the treatment and diagnosis of illness and disease. The Food and Drug Administration (FDA) regulates over 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide. Digital instruments range from pacemakers to MRIs to software-driven insulin pumps. Remote access applications medical apps, telehealth, and other technologies are driving a revolution in health care. While health systems offer significant increases in patient well-being and convenience, internet-connected devices also pose a risk to consumers. In the past, security-by-design has been absent in health devices because functionality and cost were more heavily prioritized. However, the FDA now recognizes that its public health responsibilities span the life cycle of medical devices. Additionally, the FDA acknowledges that it must make well-supported regulatory decisions that account for each lifecycle stage and the totality of the evidence, to determine whether the benefits of devices outweigh the risks to consumers and vital systems. To improve device cybersecurity, The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards cybersecurity and medical device safety [1]. According to the recently released “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health.”

The Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health

The FDA tries to permit the marketing of only devices featuring a favorable benefit-risk profile; however, vulnerabilities and weaknesses often remain undiscovered until adversarial exploitation after wide distribution. Further, risks associated with devices develop and evolve as the threat landscape shifts. Changes in manufacturing, released updates, and a multitude of externalities compound the risk to consumers. Lifecycle risk analysis for devices is complex and multi-faceted. Rather than continue to focus on post-market device risk analysis, the FDA is adapting their approach to focus on layered security at each stage of the device lifecycle. Adoption of security-by-design best practices will foster innovation, lead to safer devices, increase technology effectiveness, ensure timely access, improve the health and quality of life of patients, and enable decision-making based on the best available evidence about medical devices [2].

The “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health” outlines how the FDA can best assure the safety of medical devices throughout the Total Product Life Cycle (TPLC) to provide for the timely communication and resolution of known and developing safety issues and how it can advance innovative technologies that are safer, more effective and address unmet needs. In recent years, the agency has developed new regulatory science tools to better assess the performance of devices during the premarket review process. They enhanced the predictability and transparency of premarket review, recalibrated the benefit-risk framework, and adapted their regulatory footprint to keep pace with bleeding-edge technologies. The plan focuses on how the FDA can establish a medical device patient safety net, streamline and modernize regulatory options and implementations, spur device safety and innovation, advance cybersecurity, and integrate existing data and assets in a TPLC approach [2].

Device oversight is based on a flexible, multifaceted framework that measures safety and effectiveness against risk and then classifies devices into three categories. To mitigate limitations and challenges in the post-market analysis, the FDA has strengthened its infrastructure, introduced new statutory authorities, established new capabilities via public-private partnerships, developed new programs, to enhance the agency’s ability to evaluate devices pre- and post-market. A subset of the initiatives include establishing a unique device identification system, employing real-world data to improve regulatory efforts, launching the National Evaluation System for health Technology (NEST) to optimize data collection and analysis, ensuring the consistency, efficiency, accountability, and transparency in how CDRH the evaluation and handling of signals related to marketed medical devices, recalibrating the benefit-risk framework, creating a competitive marketplace for device quality, and addressing device cybersecurity according to patient safety [2].

Tenets of the Action Plan

The Medical Device Safety Action Plan outlines how the FDA can ensure medical device safety throughout the TPLC.

Implement a Medical Device Patient Safety Net

NEST empowers the FDA to aggregate disparate data from different electronic health information sources such as device registries, electronic health records, medical billing claims, patient-generated data, etc. The system will improve the quality of real-world evidence and facilitate the rapid detection of emerging safety signals so that appropriate actions can be taken. It will help manufacturers improve security and assess the safety and effectiveness of their devices, and it will help inform healthcare providers and patients about the evolving benefit-risk profile of devices and empower them to make more informed decisions [2].

NEST is expected to receive $6 million in user fee funding annually for the next five years. However, its multi-stakeholder Planning Board estimated that the system would require $40 to $50 million annually for the first five years to become fully operational. Consequently, the FY 2019 President’s Budget seeks to fund a New Medical Data Enterprise, including dedicated funding to support NEST and to support FDA post-market studies that address device-specific safety concerns. Meanwhile, the members of the NESTcc and other stakeholders are working to make NEST financially self-sustaining in the long-term. The FDA plans to collaborate with other members of the NESTcc and external partners to enhance NEST capabilities to perform active surveillance; perform timely, efficient post-market safety studies; and develop, test, and apply new methods for enhanced safety signal detection and evaluation [2].

Streamline and Modernize implementations of Post-market Mitigations

If FDA identifies can require companies to implement mitigations that impacts the benefit-risk profile of a type of device through the imposition of additional special controls; however, the rulemaking necessary for special control requires resources and time. Instead, the FDA often focuses on voluntary implementations; but the approach is not always effective. The agency is now exploring whether, under current statutory authorities, it can impose special controls to address new or increased known risks, more quickly through the issuance of an umbrella regulation. If not, it will explore what additional actions might be taken, including considering potential new authorities [2].

Spur Innovation and Incentivize Medical Device Security

The marketplace does not provide strong incentives to make an established device safer in the absence of a new or greater-than-previously-understood safety concern. The FDA is considering offering market incentives in exchange for increased and continued device security. Although reimbursement is outside of FDA’s purview, Congress tasked the FDA with “advancing policies that encourage and reward medical innovation and facilitate timely patient access while continuing to provide reasonable assurances that devices are safe and effective.” To that end, the FDA can offer scientific expertise and regulatory incentives to normalize security-by-design in the marketplace. It will explore the inspirations of innovation, help develop scientific toolkits for developers to assure their devices safety better, provide streamlined pathways for comparative safety claims, and work with technology incubators to advance safety innovation.

It will expand the existing 510(k) program to allow manufacturers of certain well understood device types to use objective performance criteria established or recognized by the Agency to demonstrate substantial equivalence. The increased market competition will lead to greater device security. Finally, it will establish organizational performance metrics and device quality metrics that can be used to create a competitive marketplace for device quality [2].

Improve Medical Device Cybersecurity Culture

The FDA will consider potential new premarket authorities to require firms, to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s premarket submission and to develop a “Software Bill of Materials” [2]. The “Software Bill of Materials” that will feature software-related details for each medical device and product [1]. The goal of the bill is to help device owners “better manage their networked assets and be aware of which devices in their inventory or use may be subject to vulnerabilities” [2]. Hospitals, healthcare organizations, and users can consult the medical device’s bill of materials to ascertain how it functions, what software is needed for each feature, and what technologies are incorporated in the device [1]. Additionally, the FDA will expand on its existing cybersecurity guidelines and recommendations to include “[updating] the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack)” [2].

Additionally, the FDA wants to create a public-private partnership called the CyberMed Safety (Expert) Analysis Board (CYMSAB) that will assess, assist, and adjudicate coordinated vulnerability disclosures in medical devices. The operationalization of a CYMSAB would be an invaluable asset to FDA, industry, and healthcare facilities in averting and responding to cybersecurity vulnerabilities and exploits. It would encompass a broad range of expertise (including hardware, software, networking, biomedical engineering, and clinical) to integrate critical patient safety and clinical environment dimensions into the assessment and validation of high-risk/high-impact device vulnerabilities and incidents. Based on its design, the CYMSAB would investigate cybersecurity vulnerabilities and incidents for the FDA, similar to how the National Transportation Safety Board (NTSB) investigates aviation accidents for the US Department of Transportation. It would also adjudicate disputes, assess proposed mitigations, and serve in a consultative role to organizations navigating the coordinated disclosure process. Overall, the board will facilitate greater ease in the interaction between stakeholders and vendors [1]. It will also serve as “a ‘go-team’ that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request” [2].

Reorganize the Optimize Adoption of the TPLC Approach

The FDA’s medical devices center, CDRH, is organized according to the stage of the product’s lifecycle—premarket review, post-market surveillance, and compliance—instead of the type of product being regulated. The structure allows employees to specialize, but it does not promote the communication and collaboration essential to the combat the hyper-evolving threat landscape [2].

In 2015, CDRH began adapting by consolidating the pre- and post-market functions and creating an infrastructure better suited to emerging scientific, regulatory, organizational, and ecosystem needs. The new structure consolidates and integrates many of the current aspects of product review, quality, surveillance, and enforcement into a new, team-based approach. Key purposes of the approach include enhanced efficiency of regulatory oversight through expedited internal information and expertise-sharing, adopting a broader and more in-depth view of device safety, effectiveness, and quality, and compressing the levels of review. Devices are now evaluated throughout their development and commercialization lifecycles by teams of reviewers, compliance officers, and other experts [2].

The FDA plans to reorganize to optimize how staff consider pre- and post-market data in their benefit-risk assessments and to allow employees to take a universal view of device oversight. The CDRH is evaluating a potential structural design adjustment that would place of seven smaller device-specific offices – each responsible for the premarket review, post-market surveillance, manufacturing and device quality, and enforcement – under one large office. A new office – whose focus would be “advancing the generation of more informative data across the TPLC about the benefits and risks of new devices that would help inform regulatory decisions of CDRH staff throughout the TPLC organization” – would be dedicated to clinical evidence and analysis, under which teams would be focused on clinical evidence policy, evidence synthesis, and analysis, biostatistics, bioresearch compliance, and collaboration with and outreach to clinical researchers outside of FDA [2].

Conclusion

In recent years, medical device oversight has been lax, based on incomplete evidence, overly catered to manufacturers, and has deterred competitive innovation. If fully implemented, the FDA “Medical Device Safety Action Plan” would holistically reverse the status of medical device security. The plan includes modernized mechanisms to improve device security, ensure patient safety, and incentivize the TPLC approach and innovation. The Medical Device Safety Action Plan details admirable improvements in the traditionally security-stagnant healthcare sector. Now, the FDA is requesting input from public stakeholders on the draft guidance as well as the encompassment of well-understood device types and possible performance criteria that could be leveraged for these purposes.

Leave a Reply