The FDA's New Digital Health Cyber Unit: What Would It Do?Cybersecurity Unit Would Be Part of a Center of Excellence for Digital Health
This story has been updated.
If all goes according to plan, the Food and Drug Administration will launch in fiscal 2019 a new digital health "center of excellence" that includes a cybersecurity unit. The new unit would not only deal with cyber issues pertaining to new health technologies, but also challenges facing older medical devices.
The FDA's $5.8 budget request for fiscal 2019 - which begins Oct. 1 - includes $70 million for the FDA to establish "a new paradigm for digital health technologies," according to the agency's budget justification document released earlier this year.
President Trump on Sept. 28 averted a partial government shutdown that would have started at midnight on Sept. 30 by signing a $854 billion continuing resolution budget bill for fiscal 2018 that funds the government through Dec. 7.
FDA funding - including the request for the digital health initiative's center of excellence - is not part of that spending bill, but rather is part of the FDA's overall fiscal 2019 budget request.
Some experts note that FDA's plan to create a cybersecurity unit within a new center of excellence for digital health would align well with recommendations made last year by a Department of Health and Human Services cyber task force report, as called for under the Cyber Information Sharing Act of 2015.
"This Center of Excellence for Digital Health with a cybersecurity unit may be 'just what the doctor ordered'."
—David Finn, CynergisTek
That report names specific challenges that will need to be addressed to enhance the cybersecurity of medical devices, including patching legacy operating systems, implementing a secure development lifecycle and using strong authentication, says David Finn a member of the task force. He's executive vice president of innovation at the consultancy CynergisTek.
"This Center of Excellence for Digital Health with a cybersecurity unit may be 'just what the doctor ordered'," he says.
Digital Health Initiatives
In a Wednesday statement, Scott Gottlieb, M.D., FDA commissioner, reiterated that the agency's approach to digital health is changing.
The goal "isn't to regulate the everyday health and lifestyle uses of consumer devices, but rather to focus our resources on reviewing more sophisticated medical apps that sit on top of this general-purpose hardware - the functions that have greater ramifications for patient health and where ensuring safety and efficacy of the application is critical," he wrote.
By focusing its review on the functionality of the software, the FDA's aim is to encourage greater innovation in digital health, including the use of artificial Intelligence and clinical decision support software, Gottlieb writes.
An example of FDA's evolving approach to digital health was its recent streamlined approval process for the marketing of new Apple Watch 4 cardiac apps, including an ECG app, Gottlieb notes.
As part of the agency's efforts to "modernize" its regulatory approach for digital health products, FDA last summer year said it would launch the digital health software precertification pilot program and would issue new guidance to update its policies and outline its efforts to promote innovation in digital health.
"Having a regulatory framework that enables a rapid cycle of product improvement is integral to ensuring innovation and success for digital health technologies," Gottlieb says. "The precertification model is ideally suited to these challenges. Our pilot will explore a regulatory approach that suits the technology and meets our standards for safety and efficacy."
With that in mind, the FDA says its proposal to create a center of excellence for digital health would advance its precertification model for digital health, "modernizing our regulatory approach to help this industry grow and reach its full potential, while protecting patients," Gottlieb writes.
The center of excellence would also explore building a new capacity to evaluate third-party certifiers of digital technologies under a precertification program, who will play a key role in the efficient development of these products, the statement says.
As the FDA advances its approach to digital health tools, it also needs to modernize its approach to ensuring those products are safe, the agency says in its statement. "A significant area of concern remains cybersecurity," the FDA says.
"The FDA is taking a lead role in medical device cybersecurity to address an unmet gap in the healthcare and public sector. Cybersecurity requires a multidisciplinary, focused team to bring together a range of requisite expertise to fully assess and validate high-risk/high-impact vulnerabilities and incidents, including potential patient safety implications," the statement says.
New Cyber Unit
The FDA's proposed new center of excellence will establish a public-private multidisciplinary effort "to bring together a broad range of requisite expertise to serve as a resource for industry and the FDA to assess cybersecurity vulnerabilities and incidents and help identify effective solutions," Gottlieb says.
Because its fiscal 2019 budget request has not yet been approved, FDA declined Information Security Media Group's request to provide additional details regarding the agency's plans for the proposed center of excellence.
But in its FY 2019 budget justification document issued earlier this year, FDA noted that the center of excellence will establish new review and oversight methods for digital health technologies based on risk.
"Under this paradigm, a company could market lower-risk products without FDA premarket review," the budget document states. "Higher-risk products could be marketed following a streamlined FDA premarket review if the company is certified by a third party as one that engages in high-quality software design and testing, validation and ongoing maintenance.
Step in Right Direction?
Some security experts say the center of excellence effort is a step in the right direction, especially as digital health technologies grow and new cyber threats facing those products as well as older medical devices evolve.
"I do think it's useful for the FDA to create a center of excellence for digital health products," says researcher Billy Rios of cybersecurity firm Whitescope. "The digitization of medical devices isn't going away. We're seeing significant investment from the largest device manufacturers to integrate healthcare with smartphone, smartwatch and cloud services," he says.
"The industry is moving really fast ... I hope we can keep up from a cybersecurity standpoint."
—Billy Rios, WhiteScope
"The always-on, always-connected nature of new medical devices expands the scope of medical device exploitation. Exploitation of a cloud service belonging to a popular device manufacturer could mean that every patient could be remotely harmed. We need to examine these systems end-to-end and ensure we have adequate cybersecurity. The industry is moving really fast... I hope we can keep up from a cybersecurity standpoint."
The FDA is on the right track in intensifying its attention to cybersecurity issues, says Ben Ransford, president of healthcare cybersecurity firm Virta Labs.
"I don't have an opinion on whether a 'center of excellence' is the right kind of apparatus, but it's entirely appropriate for the FDA to seek more resources to evaluate the issues they've successfully convinced [cybersecurity] researchers to bring to them," Ransford says.
"Anyone who chooses to publicize medical device security issues without involving the FDA is looking more reckless by the day."
A focus on cybersecurity by the FDA in its approach to evolving digital health products, including consumer-oriented health apps, would also help address potential cyber risks of these new technologies, Ransford says. "I'm very bullish on high-end consumer devices playing a role in patient care. Consumer devices are democratizing access to physiological data," he says. "Let's give more people access to more data, make sure the tools are built on a solid security framework ... and see where that takes us."
Mac McMillan, president of CynergisTek, says he'd like to see the new FDA cyber unit focus on "testing and certification of products to be used in the provision of care that process, store or transmit patient information or control care delivery, and the creation of a national healthcare products database available to providers and organizations that support them."
As the FDA makes plans to roll out a center of excellence, and a related cyber unit, it needs to tackle other related issues, McMillan contends.
"This is an excellent initiative and could have a very positive impact on problems long overdue for a solution," he says. "But without hard standards for manufacturers to follow or cybersecurity teeth in certification requirements for products, its effectiveness could be undermined.
"There is precedent for this type of program already in the government. Systems that are procured and used in other departments must meet specific requirements and undergo an independent laboratory analysis," he says. "The point here is that the labs doing the testing have specific standards they are evaluating against. What will FDA use?"