Should the FDA Create a Cybersecurity Measuring Stick?Agency Gets Suggestions for 'Software as a Medical Device' Precertification Program
The Food and Drug Administration should consider some sort of measuring stick when assessing a vendor's cybersecurity culture to determine if it qualifies for the agency's proposed fast-path program for premarket approval of "software as a medical device" products, some industry stakeholders say.
See Also: 2021: The Cyber-Attack Outlook
The FDA accepted comments on its "working model" for a SaMD precertification program through May 31.
The agency will review and incorporate the public feedback as it refines its plans for the proposed program.
The federal Regulations.gov website shows that FDA has received more than 60 comments on its plans for a precertification program to fast-path certain SaMD products for premarket approval. Those comments also include feedback on the FDA's initial plans announced in 2017 for a pilot SaMD vendor precertification program.
Fast-Path Plan for Product Approval
The FDA is proposing to pre-certify vendors of certain medical device software, including some mobile apps, allowing the companies to skip the agency's much more rigorous premarket approval process for hardware-based medical devices.
The proposed voluntary program is for review of software that is "intended to treat, diagnose, cure, mitigate or prevent disease or other conditions." Currently, such software faces the same regulatory review as medical device hardware.
The FDA says its current regulation of medical device hardware "is not well-suited for the faster, iterative design, development and type of validation used for SaMD," according to the agency's working model document issued in April (see FDA Unveils Plan for Software as Medical Device Review).
The FDA proposes to evaluate vendors for precertification based on five "culture of quality and organization excellence principles." In addition to cybersecurity responsibility, the FDA would also evaluate a company's approach to product quality, patient safety, clinical responsibility and whether it has a "proactive culture."
In its comments, the American Medical Association says the FDA should use "relevant existing standards" where possible and should account for varied size of applicants when assessing vendors.
"An example ... would be the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity," the AMA writes.
"The framework illustrates that there are widely recognized 'gold standard' frameworks, processes, and programs available to support the proposed excellence principle on cybersecurity responsibility," the AMA notes. "NIST's framework is an analog for the overarching FDA goal to balance flexible excellence principle demonstration with the need to ensure an appropriate level of consistency and structure across organizations seeking precertification."
Other commenters also suggested the FDA consider a vendor's implementation of industry standards - including the use of accepted cybersecurity frameworks - as well as various security certifications as an indication of cybersecurity responsibility.
"We strongly support the FDA's intent to consider certifications already in place ... which supports a least burdensome approach [for product precertification]," writes medical device maker Roche Diagnostics in its comments.
"For example, an organization's existing ISO certifications of their quality systems; company history, experience, and/or audit results; compliance with existing standards and regulations; and cybersecurity certifications - for example HITRUST," should be considered, writes Roche Diagnostics, a participant in the FDA's precertification pilot program.
In its comments, the Healthcare Information and Management Systems Society stresses that the FDA should take a "holistic" approach to assessing a vendor's approach to cybersecurity.
"Effective cybersecurity requires comprehensive processes to ensure security risk mitigation occurs at every stage of the product lifecycle."
"Effective cybersecurity requires comprehensive processes to ensure security risk mitigation occurs at every stage of the product lifecycle," HIMSS writes.
HIMSS recommends the FDA "separate health/medical risk determination and cybersecurity assessments" in evaluating a vendor for participating in a precertification program for SaMD products.
"For the purposes of the precertification program, the medical risk of the intended use of the device should be the sole element considered for eligibility of a particular product to follow the accelerated pathway to market," HIMSS writes.
HIMSS recommends that the FDA "take a holistic approach" to the cybersecurity assessment not just of individual products, but as part of the criteria for a manufacturer's demonstration of a culture of excellence for their inclusion in the precertification program in the first place.
"Even low-risk products can be compromised and misused in ways that elevate their overall risk," HIMSS writes.
"Strong security requires more than just the implementation of certain features in a particular product and begins with product conception and design and continues through surveillance and updates once a product is delivered to the end-user. These are organizational characteristics that a manufacturer must possess at all levels, and a strong culture of excellence in this area should lead to meaningful risk assessment and mitigation within individual products."
More Transparency Needed
But aside from the FDA collecting comments on its proposed plans for a SaMD precertification program, many healthcare industry stakeholders are growing increasingly concerned about a continuing lack of openness from many medical device makers when it comes to the cybersecurity of their products, says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security consortium.
"With a few exceptions ... as a group - our constituents, including key stakeholders like security researchers and healthcare systems - are not seeing a robust level of transparency about cybersecurity from manufacturers - nor the push from FDA - that we'd like to see," Nordenberg says. A lack of transparency from vendors about their medical device cybersecurity practices could potentially impact the credibility of an FDA precertification program, he adds.