Congress empowers the FDA to act on cyber threats in medical devices – TechToday

Chris Harvey, Sedgwick’s Senior Vice President, Brand Protection, explains the findings of its report on medical device recalls.

As medical devices become increasingly connected to the Internet and other digital networks, they also become more vulnerable to cyberattacks. This poses a threat to patient safety and privacy. This increased risk has become a major concern for the healthcare industry. Several high-profile incidents have been reported in recent years involving a range of devices, including IV pumps, MRI machines and heart rate monitors.

Reasons for the increase in cybersecurity threats to medical devices

There are several factors that increase the risk of cyber attacks for medical devices:

• Greater connectivity – The main reason for the increase in cyber security threats to medical devices is their increasing connectivity. Increasingly, medical devices are being designed to connect to the Internet and other digital networks. This improves patient care by enabling remote monitoring, software updates and other features. However, this connectivity also makes devices more vulnerable to cyber-attacks. Hackers can exploit vulnerabilities in software or network connections to gain access to sensitive patient data or even take control of the device itself. In such cases, a recall can be particularly difficult due to the threat to patients’ lives and the need for continued use of the affected medical device if there is no suitable alternative. Manufacturers will face new risks as technology continues to advance.
• Lack of safety standards – As in many other sectors, medical device regulators are working hard to keep up with rapidly evolving technology. However, there are currently no uniform security standards across the industry. This makes it difficult for manufacturers to design devices that are secure by default, and it also makes it difficult for healthcare providers to assess the security of the devices they use.
• Legacy s – Many medical devices are based on old systems that were not designed with modern safety standards in mind, mainly due to a lack of online connectivity. These systems can be particularly vulnerable to cyberattacks and are more difficult to update for modern cyber threats (as well as being more expensive to adapt), making it difficult for manufacturers to patch vulnerabilities or solve other security issues.
• Lack of authority – Finally, there has been a lack of regulatory authority in the medical device industry. The US Food and Drug Administration (FDA) lacked the power to enforce cybersecurity guidelines. While it had offered guidance, it was up to device manufacturers to decide whether or not they wanted to heed those recommendations, and there were no penalties if they didn’t.

To help reduce this growing threat, the Consolidated Appropriations Act of 2023 (HR 2617) that was signed into law in December 2022 included provisions aimed at improving the cybersecurity of medical devices. The omnibus appropriations bill also gave the FDA the authority to set and enforce cybersecurity standards for medical devices for the first time.

How the Consolidated Credit Act will help

In addition to giving FDA more regulatory authority, the Consolidated Appropriations Act (the Act) includes several provisions to improve the cybersecurity of medical devices:

• Reinforcement of safety requirements for medical devices – Manufacturers will need to implement security controls to prevent unauthorized access to devices, protect the confidentiality and integrity of patient data, and ensure the availability of devices in the event of a cyber attack. They will also have to submit a cybersecurity plan to the FDA for review in the premarket approval process.
• Establishment of aftermarket responsibilities – Manufacturers’ plans must also detail their process and procedure for ensuring that post-market software and firmware updates, as well as patches to their devices and related systems, are available to consumers and other interested parties as appropriate necessary
• Improve transparency and accountability – Under the new rules, manufacturers must report cybersecurity incidents to the FDA and affected patients within a specific time frame. They will also be asked to provide updates on the status of remediation efforts and any actions taken to prevent similar incidents from occurring in the future. With recalls becoming more public because agencies are not afraid to call companies through their channels, these rules will address the need to keep patients informed. This also makes it even more important for manufacturers to follow expert advice in establishing recall plans that include how a manufacturer will respond to a product-related crisis and how they will communicate with customers. To prepare, manufacturers should also prioritize mock recall exercises as part of their risk management protocols.
• Encourage collaboration and the exchange of information – The legislation includes provisions to promote collaboration and information sharing between manufacturers, healthcare providers, and the FDA. The FDA will need to establish a public-private partnership to promote cybersecurity in the medical device industry.
• Establish a center of excellence in cyber security – One of the key provisions of the legislation establishes a Cybersecurity Center of Excellence within the FDA. This center will coordinate efforts to improve the cybersecurity of medical devices. The Center’s responsibilities will include developing and implementing cybersecurity standards and best practices, assessing device security, and providing guidance to manufacturers and healthcare providers. While manufacturers may face increased oversight as a result, the dedicated office will provide some clarity on how US regulators will address cybersecurity issues in the medical device industry.

The impact on medical device recalls

The withdrawal of medical devices is also affected by the new Consolidated Appropriations Act. The Act requires medical device manufacturers to include cybersecurity information in their recall reports to the FDA. This information will help the FDA and healthcare providers better understand the cybersecurity risks associated with recalled medical devices.

In addition, the FDA must provide guidance to medical device manufacturers on how to conduct post-market reviews focused on the cybersecurity of medical devices. This guide will help manufacturers identify and address cybersecurity vulnerabilities in devices already on the market. By addressing these vulnerabilities, manufacturers can reduce the risk of future recalls due to cybersecurity issues.

The FDA must also establish a pilot program to evaluate the effectiveness of medical device cybersecurity vulnerability reporting. This program will provide FDA with valuable data on cybersecurity risks and help the agency identify areas where additional measures may be needed.

Overall, the provisions included in the new Act will have a significant impact on medical device safety and product recalls, as well as patient safety. By requiring manufacturers to include cybersecurity information in recall reports, providing guidance on post-market reviews, and establishing a pilot program to evaluate the effectiveness of vulnerability reports, the legislation will help reduce the risk of recalls due to issues of cyber security.

This will not only benefit patients, but also help reduce the financial and reputational risk to manufacturers that often results from product recalls.