The last year of the Obama Administration will likely be remembered by FDA-watchers for two major agency initiatives affecting medical device regulation: cybersecurity requirements and CDRH’s establishment of a National Evaluation System for “real world” device monitoring, one of three strategic priorities for the 2016-2017 timeframe.
Each of these has been under congressional scrutiny, something that both the Trump Administration and the reinvigorated Republican majorities on Capitol Hill seem likely to continue.
Cybersecurity vulnerabilities first came under notice in a 2005 FDA guidance, but did not get serious attention until two years ago when the Center issued ad raft guidance on premarket submissions for managing device cybersecurity, followed by another last January for postmarket management.
Industry reaction has been cautionary, with AdvaMed urging that both documents be combined, but not taking issue with the Center’s concerns, other than to say they should not be written in a “prescriptive” way, since guidances are supposed to be nonbinding.
AdvaMed’s three general comments on the guidance were: “(1) eliminate “essential clinical performance” from the document and instead focus on maintaining device functionality and safety,” (2) provide more information about Information Sharing and Analysis Organizations, and (3) “continue to rely on consensus standards” such as the National Institute for Standards and Technology’s framework for improving clinical infrastructure.
In a March blog white paper, the Institute for Critical Infrastructure Technology suggested tougher FDA action.
“The medical device community is compliance-oriented,” it wrote. “Currently, healthcare device manufacturers and healthcare providers have the ability to ignore FDA’s recommendations. However, it is in the best interest of each organization and the community at large if the target audience pays attention to FDA’s underlying message to adopt a comprehensive risk-based cybersecurity program . . . It may be beneficial to healthcare providers, healthcare payers, and legislators to petition FDA to make the guidelines regulatory.”
In November, Congress stepped in, with House Energy and Commerce Committee members Diana DeGette (D-CO) and Susan Brooks (R-IN) asking FDA for details on plans to further reduce risks of hacking, unauthorized access, or use of malware in medical devices.
In a letter to commissioner Robert Califf, MD and CDRH director Jeffrey Shuren, MD, JD, DeGette and Brooks said: “The need for effective cybersecurity of medical devices has become more important with the increasing use of wireless, internet- and network-connected devices.
“Up to 15 million medical devices in circulation, ranging from monitors and infusion pumps to ventilators and radiological technologies, are integrated into the nation’s digitized healthcare network, creating possible avenues for cyber-attacks. As cyber threats continue to evolve at a rapid pace, FDA must work to prevent emerging threats, mitigate existing vulnerabilities, and assess the strength of a device’s cyber resilience in both pre-market and post-market contexts.”
In the absence of screaming headlines about a catastrophic attack, all this may seem an abundance of caution, but a WashingtonFederal Times report in February based on information obtained through a Freedom of Information Act request revealed that FDA had reported 1036 unspecified cybersecurity incidents between January 2013 and June 2015.
Some 50% of the incidents were attributed to unauthorized access, while 21% were scans, probes, or attempted access, and 19% were malicious code discovered on FDA systems. The report did not segregate medical devices from all others reported by FDA.
In September, the Government Accountability Office (GAO) reported that its review of security controls over seven key FDA information systems found “a significant number of security control weaknesses [that] jeopardize the confidentiality, integrity, and availability of its information and systems.”
The GAO report said that FDA did not fully or consistently implement access controls, which are intended to prevent, limit, and detect unauthorized access to computing resources. In particular, it said, the agency “did not always (1) adequately protect the boundaries of its network; (2) consistently identify and authenticate system users; (3) limit users’ access to only what was required to perform their duties; (4) encrypt sensitive data; (5) consistently audit and monitor system activity; and (6) conduct physical security review of its facilities.”
In response, FDA chief information officer Todd Simpson said that “information security and the protection of industry and public health information are among FDA’s highest priorities and we do not take lightly the recommendations provided by the GAO in its report. FDA has worked quickly to address the concerns outlined by the GAO, already fully implementing 80% (12 of 15) of GAO’s program recommendations and 61% (102 of 166) of GAO’s technical recommendations. We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year.”
The GAO technical recommendations were given in a separate report with limited distribution. There were 166 of them, addressing information security weaknesses related to boundary protection, identification and authentication, authorization, cryptography, physical security, configuration management, and media protection.
In his statement, Simpson said the agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis. “In support of these efforts,” he said, “we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report.”
Earlier, the HHS Inspector General’s Mid-Year Update disclosed that the office was reviewing networked medical device cybersecurity during the device approval process. It said the review report was expected to be issued in FY 2017.
National Evaluation System
Four years in the making, CDRH’s new National Evaluation System for health Technology (NEST) is finally coming on stream with broad-based support from all constituents to promote the acceptance of so-called “real world evidence.”
In the first of three published strategic priorities for 2016-2017, CDRH said it needs a national medical device evaluation system that will “build upon and leverage the vast amount of information and knowledge created every day as a part of routine health care or generated at home, such as patients using monitoring devices—what we call ‘real-world evidence.’”
It said that having access to large amounts of electronic clinical data being generated and collected today “can be used to identify safety signals and support risk-benefit analyses when data quality is ensured and advanced analytics are applied. Real-world evidence in the future will be able to support regulatory decision making across the pre- and post-market continuum. To make that vision a reality, we must develop systems to ensure that data quality is appropriate and sufficient for regulatory decision making, that data flows seamlessly between systems, and that unique device identifiers (UDI) are routinely incorporated into electronic health information.”
The Center explained that the new system would comprise electronic health information (EHI), registries, and medical billing claims. It would also access data from the agency’s Sentinel (currently claims data) initiative.
“It would be developed through strategic alliances between disparate data sources and advancing the UDI adoption in EHI, data quality standards, interoperability, and methods development,” the strategic report said. “The National Evaluation System would be operated by a public-private partnership and governed by a board with representatives from the various stakeholder communities in the medical device ecosystem, including government.”
CDRH says that by the end of 2016, Center staff should have access to 25 million electronic patient records (from national and international clinical registries, claims data, and e-health records) with device identification. And by the end of 2017, staff should have access to 100 million such records.