FDA: How to Inform Patients About Medical Device Cyber FlawsAgency Issues Best Practices for Communicating Device Vulnerabilities
As the use of connected medical devices - and the number of cyberthreats - grows, the Food and Drug Administration has issued a new best practices document for healthcare industry stakeholders and government agencies to use when communicating medical device vulnerabilities to patients and caregivers.
The FDA says the document released Tuesday, Best Practices for Communicating Cybersecurity Vulnerabilities to Patients, is geared at helping industry stakeholders, such as manufacturers, and federal agencies design a "communication approach" for informing patients and caregivers about cybersecurity vulnerabilities.
"The increased use of connected medical devices in the U.S. has led to an increase in cybersecurity vulnerabilities," the FDA says.
These devices range from Software as a Medical Device, such as certain mobile phone applications, to implantable medical devices, such as pacemakers, the agency notes.
"Clear, actionable communication is one way to help protect and promote public health, and help ensure that patients, who depend on their medical devices, stay informed and protected," according to the FDA.
The best practices document is voluntary and not considered official agency guidance, the FDA notes.
When developing a strategy to communicate medical device cybersecurity vulnerabilities to patients and caregivers, there are several key elements for stakeholders and government agencies to consider, the FDA says.
- Interpretability, so that patients can easily understand what is being communicated;
- Risks and benefits of using the device with the vulnerabilities;
- Acknowledging and explaining what is unknown about the flaw and its potential exploits;
- Availability of additional information about the issue;
- Structure of the communication material;
- Outreach and distribution vehicles for the communication.
"Because the severity of cybersecurity vulnerabilities can change at any time - for example, the development of exploit code could increase the likelihood of exploitation - it is important for messengers to update vulnerability communications as needed to ensure that patients have access to the most up-to-date and relevant information," the FDA notes.
"Given the evolving nature of vulnerabilities, it may help to explain what is known and unknown at the time of the communication."
The FDA notes that in some cases, it may not be possible for patients to take action to mitigate risks posed by medical device vulnerabilities. "An update to their device may not yet exist, or they may need to wait for the medical device manufacturer, healthcare provider, or other party to take some action first," the agency says.
"In these cases, communication materials that provide clear and concise instructions for recommended actions and focus on what patients and caregivers should do are important, including how they might identify if their device has been affected," the FDA notes.
"If no action is recommended, communications that clearly state this fact help to mitigate against the perception of it being an oversight."
Some experts say that it is a critical for patients to be included in the disclosure process for vulnerabilities involving their connected medical devices.
"Although healthcare providers have come out of the Stone Age and denial stage of medical device security, patient communications are the next frontier," says Michael Holt, president and CEO of healthcare security vendor Virta Labs.
Overwhelmingly, the benefits of medical devices have so far outweighed the security risks, so the tone, frequency and threshold for alerts to patients being developed by FDA and stakeholders are critical, he says.
"As we move to telehealth, including more wearables and devices on home networks, patients should be educated on the basics such as cyber hygiene, two-factor authentication and timely installation of patches," he says.
Besides issuing the best practices document, the FDA has several other activities underway related to medical device cybersecurity.
The agency is expected, possibly by year-end, to release a new or updated version of draft guidance for premarket medical device cybersecurity that was first issued in Oct 2018 (see: FDA Calls for Cybersecurity Bill of Materials for Devices).
The first version of the draft guidance called for manufacturers, before marketing their medical devices, to prepare a "cybersecurity bill of materials" listing each components that could be susceptible to vulnerabilities.
Based on public comments the FDA received on the draft guidance, the agency is anticipated to adjust its recommendation, calling instead for manufacturers to provide customers with a narrower software bill of materials, or SBOM, for each of their products (see: FDA's Kevin Fu on Threat Modeling for Medical Devices).
Some experts suggest that the FDA should also take action to push manufacturers to bolster the cybersecurity of older, legacy medical devices.
"Building security into the design and architecture [of new devices] would be the logical subsequent step, and I think the FDA already has that on their radar," says Elad Luz, head of research at healthcare security firm CyberMDX.
But many older products were designed before ransomware, for example, was an issue, he says.
"Requirements of timely updates and patches for legacy devices would certainly be a huge step towards eliminating one of the largest threat vectors."