Cybersecurity Risks in Medical Devices Discussed at Recent FDA Meeting

Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The Patient Engagement Advisory Committee to the Food and Drug Association (FDA) met recently to discuss cybersecurity in medical devices. Medical devices are increasingly connected to the internet, hospital networks, and other medical devices to provide features designed to improve healthcare and increase providers’ ability to treat patients. However, as medical devices become more connected and join the internet of things, cybersecurity risks increase. As the summary of the meeting indicates, preserving the benefit of the devices requires both continuous vigilance as well as timely and effective communications to users about evolving cybersecurity risks.

The Committee focused on factors for consideration by the FDA and industry when communicating cybersecurity risks to patients and the public, the role of health care providers and other stakeholders in communicating such risks to patients, and concerns patients have about changes to their devices to reduce cybersecurity risks.

Overall, the Committee members generally concluded that there is not one blanket approach that would work for all patients. However, they highlighted three strategic elements the FDA and industry should consider in conveying cybersecurity risks to patients when the probability of exploitation is not known: (1) explaining the unknown factor; (2) understanding patients’ fear of the potential unknown and having those concerns addressed and factored in well in advance of the preapproval process; and (3) a balanced discussion between risk and benefits, particularly for lifesaving devices. The Committee felt the FDA could use an alert system similar to that used by other agencies (such as using green, yellow and red) to communicate the different levels of cybersecurity threat. The Committee also recommended that the FDA explore using Unique Device Identifiers (UDIs) to deliver targeted risk messages to patients who use particular devices.

The Committee believed it is important for patients to hear about a cybersecurity threat even before there is a risk reduction measure available, both for transparency and because patients might be able to detect potential harms. The FDA should also consider if and when to make the information public, given that there could be “bad actors” who take advantage of the risk upon learning about it through the media.

It will be interesting to see what the FDA does in response to the Committee’s recommendations, and whether guidance from the FDA will be forthcoming.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide