Cybersecurity continues to be a hot topic in healthcare with several areas of concern. These include the theft of personal health information from a provider's database, using ransom wear to extract payment from providers without actually stealing information, and compromising the performance of medical devices that are connected to the network, employ wireless functions or are otherwise hackable in either real or imagined scenarios. One might note that these latter concerns may not be in proportion to the actual risk, ie they attract a great deal of attention and gnashing of teeth but in a rationale hierarchy of actual medical healthcare dangers they probably aren't near the top.
In this cybersecurity milieu the FDA has announced a 2-day workshop (May 18-19, 2017) to address it's medical device mission of reasonable assurance of device safety and effectiveness, while not unduly interfering with timely innovation. In particular, the workshop is to address the "regulatory science" gaps that may prevent the FDA from fulfilling this mission. Regulatory science is the development of new tools, standards, and approaches to assess the safety, efficacy, quality, and performance of regulated products. In addition, the FDA seeks to "encourage proactive development of analytical tools, processes, and best practices by the stakeholder community".
Thus there are two major issues. One is design and use practices to enhance cybersecurity, the second is how to measure the degree to which these practices are successful in both the pre-market and post-market environments. The latter also has at least two important elements. One is user practices to maintain (and not compromise) the as-built cybersecurity. The second is "upgrade" practices to deal with security flaws that are discovered after initial deployment either because they had been there all along but not previously identified, or because new threats are developed by the bad guys, or perhaps added in by ongoing deployment of new technologies.
Specific topics identified for possible discussion are:
- Relationship between medical device cybersecurity and patient safety;
- Unique cybersecurity and regulatory challenges for medical devices;
- Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);
- The roles and intersection of information technology professionals and biomedical engineering staff;
- Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;
- Automated and manual tools for communicating cybersecurity information about medical device design and function;
- Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;
- Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and
- Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.
One potential outcome from the workshop is the identification of research needs for advancing design and regulatory practices, i.e., it isn't just that we aren't doing what we know we should be doing, it is also that we don't know how to do some things that need doing. This despite the alarmist (and self-promotional) cries of design malfeasance by some elements of the cybersecurity community. Such research might include intramural effort by the FDA, multi-agency collaboration, and collaboration with non-governmental entities.
We might wonder how and when new regulatory science efforts will translate into new regulations, or new regulatory practices under existing regulatory practices, especially in the current general anti-regulatory environment. We might also wonder whether new practices will be effective, and whether they can keep up with, let alone be ahead of, the threats. This may become an example of the often-seen regulatory stance that regulations that I believe in are an essential government function, but regulations I don't believe in are examples of the government run amuck.
Webcast links now available:
https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm549732.htm?source=govdelivery&utm_medium=email&utm_source=govdelivery
A recording of the workshop, and slides from some of the presentation are available at the link above. The transcript is said to be forthcoming, but only a less than helpful generic link is provided to Regulations.gov. The docket number may be helpful - FDA-2017-N-157.