Thinking about medical device cybersecurity risk is a little like considering a potential airplane crash, Thermo Fisher Scientific cybersecurity researcher Jay Radcliffe told FDA's Patient Engagement Advisory Committee Tuesday.
The impact if the risk played out could be high, but the probability of it being realized is low.
Unlike a plane crash, it's usually difficult for patients to conceptualize these risks, which underscores the importance of training healthcare providers in cybersecurity to help guide patients, presenters and panelists advised the agency.
And the fact that risks are difficult to quantify or mitigate doesn't change the responsibility FDA and manufacturers have to inform patients and providers of all known vulnerabilities through well-tailored communications, the panel said.
Often, patients' most trusted caregivers lack the expertise to help them engage safely with their connected devices. It's rare for a professional to have a high degree of both clinical and cybersecurity knowledge, said presenter Kevin Fu, an embedded security researcher and associate professor at the University of Michigan. "Not many students are able to survive that kind of rigorous training," he told the panel.
Still, panelist Mondira Bhattacharya, VP of pharmacovigilance at MyoKardia, said cyber training ought to be increasingly incorporated into medical, pharmacy and nursing school curriculums, particularly in device-heavy specialties like cardiology or nephrology.
Better training in healthcare organizations would allow for more thorough informed consent processes, which will become even more important as the availability of non-connected devices to patients declines, said presenter Christian Dameff, medical director of cybersecurity at UC San Diego Health.
Researchers lack good data on how often medical devices are hacked, but that awareness could be improved, Dameff said, as better informed patients become more aware of signs of adverse events.
Despite some concern from FDA about unnecessarily burdening a patient with too many communications, the panel resoundingly agreed that regulators have a duty to inform patients of known device vulnerabilities, even if a mitigation is not yet available. FDA's knowledge could factor into a benefit-risk analysis so it ought to be shared across many different channels, the panel said.
As for how messages are framed and how frequently they're sent — it's not a one-size-fits-all solution, the committee said. Situations vary by device type and disease state as well as by a person's internet connectivity, age and ability. Input from any given patient population should be included in FDA's development of tailored strategies, panelists said.
To address the concern that FDA broadcasting vulnerabilities could tip off bad actors, some panelists said manufacturers and regulators should, in some cases, target messages to individual patients known to have a specific model of a device instead of sharing that information with the general public. Leveraging the unique device identifier system might be one way to achieve this outcome, said panelist and patient advocate Suzanne Schrandt.
The agency might also consider establishing a tiered-severity scale for communications to help patients quickly understand when they need to pay particular attention to a risk advisory. Panelists discussed the idea of a red-yellow-green stoplight-type of template.
Ultimately, optimizing medical devices cybersecurity planning is an endeavor "in its infancy," said Suzanne Schwartz, acting director of the Center for Devices and Radiological Health's Office of Science & Strategic Partnerships.
While FDA's meeting focused on communications regarding postmarket devices, some speakers offered reminders that cybersecurity measures must begin premarket, as early as “the whiteboard phase” of device development. It's virtually impossible to build a totally secure medical device, Fu said, but it's important to design devices that can "gracefully" tolerate an attack, meaning an attack won't prompt complete device failure.
“We don’t always think that safe and effective means they need to be cybersafe,” Acting FDA Commissioner Ned Sharpless said.