FDA is seeking feedback on a possible model for communicating cybersecurity vulnerabilities to patients in a way that is timely, relevant and simple.
The agency's discussion paper suggests a cybersecurity communication framework could be designed to get information to patients and caregivers as early as possible, while ensuring they understand the risks and the steps to mitigate the vulnerabilities arising from increased use of connected medical devices.
The document is for discussion purposes only and is not a draft guidance communicating FDA’s regulatory expectations. Rather, the agency has created the paper to gather early input from third parties and is accepting feedback until Dec. 21.
In September 2019, FDA held a Patient Engagement Advisory Committee meeting as part of its efforts to establish rules for when it sends cybersecurity vulnerability warnings. Attendees at the event discussed topics including how hard it is for patients to conceptualize the risks posed by connected medical devices. Those conversations led to the release this week of a new discussion paper.
The paper proposes six core elements to consider when developing a cybersecurity communication framework: Interpretability; discussing risks and benefits; acknowledging and explaining the unknown; availability and findability of information; structure of the communication material; and outreach and distribution vehicles. FDA wants the industry to consider if the elements are the most appropriate building blocks of a communication framework.
FDA has provided details of its thinking about each element to inform the considerations. Many of the elements are intended to ensure patients can access, understand and act on information.
The document states FDA and industry share responsibility for ensuring it is easy for patients to find information. With that in mind, the agency suggests safety communications on cybersecurity risks should incorporate search engine optimization best practices, for example by including the name of the manufacturer and device in the title of alerts. FDA also thinks it is important to include the name of the vulnerability in the title but warns patients may confuse it with the name of the device.
FDA sees outreach and distribution vehicles as an important element for ensuring information gets to patients. The agency suggests organizations create outreach plans that consider the demographics of the patient population and then use the mix of email, text messages, social media, television, websites and other distribution vehicles that is most likely to reach the target audience.
Other sections of the document discuss how to ensure patients understand communications. FDA sees presentation as one element of clear communication, highlighting the benefits of adopting responsive, mobile-friendly designs and using visual cues such as call out boxes and bolded text to point readers to the main messages.
The structure and wording of the text itself is important, too. FDA is proposing communications state the risks and their urgency toward the top of the text. Communications should also use terminology the audience will understand and provide clear, concise instructions on the actions patients should take. Message testing with target audiences is one way to ensure communications are relevant.
FDA released the discussion paper ahead of a virtual meeting it is holding on Thursday. Although the meeting will focus on artificial intelligence and machine learning, attendees will hear from representatives of FDA and Philips before participating in sessions to discuss the document and questions the agency created to shape the debate.