Alaap B. Shah, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, was quoted in Inside Health Policy Daily News, in “FDA Cyber Guide Provides Key Testing, Documentation Updates,” by David Roza. (Read the full version – subscription required.)
Following is an excerpt:
Medical device experts voiced their approval of FDA’s recent draft guidance that lays out how device manufacturers should address cybersecurity in their premarket submissions. While they welcomed FDA’s thorough list of documents and testing, which they say will give manufacturers a goal to shoot for to make their products more resilient to cybersecurity threats, they also told Inside Health Policy there is still some uncertainty surrounding the draft guidance. Namely, one expert said it is unclear whether industry will actually change its approach to product design, and another found it curious that FDA failed to address postmarket cybersecurity protocols in the draft.
The Oct. 17 premarket draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” is billed by FDA as the successor to the agency’s 2014 final guidance of the same name.
The new guidance lays out a long list of recommendations for device cybersecurity capabilities, such as protecting the integrity and privacy of data through encryption, and including routine security and antivirus scans. ...
Alaap Shah with Epstein Becker Green said he would have to wait and see whether manufacturers would actually change their approach to product design, and whether manufacturers will make the cybersecurity features of their products accessible to end users. …
Shah for the most part approved of the recommendations FDA lays out in its draft guidance. He applauded FDA for encouraging manufacturers to include mechanisms to create and store log files in devices in case of a cybersecurity attack. He also approved of FDA emulating the core functions of the National Institute of Standards and Technology’s cybersecurity framework: detection, response and recovery.
“[M]edical device manufacturers have historically ignored cybersecurity risk in product design such that devices were essentially ‘black boxes’ from a cyber risk management perspective,” Shah said. “This guidance aims to make these ‘black boxes’ more transparent to allow for management of cybersecurity risks inherent in such devices.”
Still, Shah said that while this guidance marks an important step for FDA, it represents only the beginning of what will require a sector-wide transformation in order for stakeholders to be more aware of cybersecurity best practices.
“Now we will have to wait and see whether manufacturers can change their approach to product design, and engineer products that take cybersecurity into account,” he said. “Further, assuming they can develop such products, it will be interesting to see if end users will have enough awareness and expertise to effectively manage evolving cyber risks associated with such medical devices. Good premarket cybersecurity design does not necessarily translate into less postmarket cyber risk if the product is not appropriately configured, supported, used and managed over time. It will always be a team effort.”