- FDA will convene its Patient Engagement Advisory Committee Sept. 10 for a public discussion of medical device cybersecurity, the agency announced Tuesday.
- “Preserving the benefit of these devices requires continuous vigilance as well as timely and effective communication to medical device users about evolving cybersecurity risks,” the FDA notice said.
- The committee is slated to make recommendations on factors that FDA and industry should consider when informing the public about cybersecurity risks, including the content, phrasing, timing and means of disseminating the message.
Cybersecurity for medical devices remains top of mind for FDA. Last week, the agency warned patients about a weakness in Medtronic insulin pumps that could allow a hacker to interfere with drug delivery. Medtronic recommends patients not connect the device to third-party technologies it has not authorized.
In June, the Department of Homeland Security flagged security vulnerabilities in some BD infusion pumps that could be exploited by hackers. The company said it had not received any reports of security breaches and advised users to block a client server protocol for sharing access to files.
The agency issued draft guidance in October 2018 covering cybersecurity in premarket submissions. Some device makers pushed back on FDA’s proposal to create a two-tiered system for managing cybersecurity risk, asking for clarification on how it would work. The agency also proposed implementing a cybersecurity bill of materials requirement, which some viewed as too onerous.
Cybersecurity concerns were part of FDA’s Medical Device Safety Action Plan last year. The agency worked on the Healthcare and Public Sector Coordinating Council public-private collaboration that resulted in a 53-page report released in January with recommendations for managing device cybersecurity in clinical practice.
And in a 2016 postmarket guidance, the agency said manufacturers should manage cybersecurity risks through the entire lifecycle of the device. Manufacturers were also directed to have cybersecurity risk management programs that address vulnerabilities, especially any that could result in patient harm.
FDA said it intends to make background material available to the public no later than two business days before the meeting, which is scheduled for 8 a.m. to 5:30 p.m. Sept. 10 in Gaithersburg, Maryland.