COMMENTARY ON LAW AND TECHNOLOGY

The FDA’s New Cyber Security Measures for Medical Devices

20-Sep-2018

The 4th generation of the Apple Watch was released last week with exciting new features including fall detection and advanced heart monitoring capabilities. Two of these health-related features, heart rhythm detection and personal electrocardiogram, have received clearance from the Food and Drug Administration (FDA), making the new Apple watch a Class II medical device, in the same category as a powered wheelchair. Hence, many more people will be wearing medical devices on a daily basis and rely on them to keep track of their health.

Despite their convenience, cyber security issues have always been a threat facing these networked medical devices and their users. When medical equipment, such an infected CT scanner in a hospital has to be taken offline in order to be patched, patients in the hospital suffer and other patients may have to travel longer to another hospital to get treatment. In August 2017, the FDA recalled almost half a million networked pacemakers, because these implantable devices were found to have vulnerabilities that might allow hackers to remotely alter a patient’s heartbeat. Unlike pacemakers,smart watches are less likely to cause direct physical harm to the users, but because these wearable accessories constantly collect data about your personal health, there may be serious privacy violations associated with a security breach of these devices. Also, attackers may be able to influence user’s behaviors indirectly by providing false health information.

In response to the increasing concern about the cyber security of medical devices, the U.S. Department of Health & Human Services (HHS)recommended that the FDA take additional measures to address this issue.

Currently, before a manufacturer can market its product as a medical device, it has to go through a 3-phase procedure with the FDA to get clearance or approval. First, there is a pre-submission program that allows the manufacturer to better understand FDA requirements. Then, the manufacturer needs to submit a set of documents based on the FDA’s “refuse-to-accept” checklists, which simply means that the FDA does not accept submissions with missing documents. Lastly, the FDA uses a template, called a “SMART template,”to guide its reviews of submissions.

Corresponding to these three phases, the recommendations given by the HHS are threefold, including promoting the use of pre-submission meetings to address cyber security-related questions, adding cyber security documentation to the FDA’s refuse-to-accept checklists, and creating a dedicated section for cyber security in the SMART template.

These recommended measures will certainly raise the awareness of cyber security among medical device manufacturers. From now on, submissions without cyber security documentation will not be accepted in the first place, and manufacturers have to prioritize addressing the cyber security issues residing in their products.

Nonetheless, these recommendations are limited in scope, leaving many important cyber security issues unresolved. Aside from checking cyber security with the SMART template, which the FDA has already started doing, the other two new measures suggested by the HHS seem to be more about procedure and documentation,rather than actually incentivizing manufacturers to improve the cyber security capabilities in their products. Manufacturers can come up with perfect cyber risk mitigation plans in order to pass FDA review but never effectively implement those plans.

In addition, although the FDA has a post-market surveillance program, which monitors the performance of drugs and medical device son the market after they receive clearance or approval, it often takes several years for cyber security vulnerabilities associated with these medical devices to be exposed, and the discovery of these vulnerabilities are usually due to third-party researchers who are not involved in the surveillance program. In short, improvements can be made by the FDA to make vulnerability detection quicker and more effective and thereby improve the cyber security of networked medical devices.

I’m Jay Kesan.