Dive Brief:
- Boston Scientific, GE Healthcare and BD are among device manufacturers raising alarms over FDA's proposal to create two tiers of cybersecurity risk buckets for devices in its October device cybersecurity guidance.
- GE Healthcare called the tiers "confusing and vague," BD called for the elimination of the proposal to ensure "equal, high standard security practices to all devices" and Boston Scientific echoed the call to eliminate the proposal, saying a risk-based analysis for all devices based on special controls would better protect patients.
- FDA's proposal to implement a cybersecurity bill of materials also drew fire from the device industry trade group.
Dive Insight:
Amid high profile cyber attacks on health systems and device makers, the FDA has been stepping up its oversight with an ambitious plan to reduce vulnerabilities throughout a product’s lifecycle.
The Medical Device Safety Action Plan calls for new authorities to require manufacturers to build security updates and patch capabilities into products beginning at the design stage and to have formal policies and procedures for swift coordinated disclosure of vulnerabilities discovered after products hit the market.
In the latest set of public comments on FDA plans, AdvaMed, the Medical Imaging & Technology Alliance and the Consumer Healthcare Products Association agreed additional clarification is needed to explain how the agency plans to implement the tiered system based on cybersecurity risk.
AdvaMed also backed nixing the proposed tiered system, while MITA sought examples of how the classification of the tier system will be applied to specific types of devices like in vitro diagnostics and radiology devices.
"The tier system descriptions are unclear. How will the FDA distinguish between a medical device for which a cybersecurity incident could directly result in patient harm to multiple patients, and one that does not? What does the phrase 'harm to multiple patients' mean in practice?" MITA asked.
On the cybersecurity bill of materials front, AdvaMed argued the agency is getting ahead of its statutory authority, pointing to FDA's admission in its 2018 Medical Device Safety Action Plan it would seek new authority from Congress to implement the idea.
"Because FDA has not previously required documentation of a BOM, under the statutory 'substantial equivalence' standard for Class II medical devices we do not believe FDA can impose these requirements on new devices that have demonstrated substantial equivalence to a predicate device. FDA should explain its authority for such a requirement," Zachary Rothstein, AdvaMed vice president of technology and regulatory affairs, wrote in the group's comment.
AdvaMed raised concern FDA's proposal to include a BOM for hardware in addition to software may be counterproductive to the agency's goals. GE Healthcare commended the agency for taking action to ensure proper information sharing, but echoed concern hardware requirements may be too onerous and obscure the value of a software bill of materials.
"If the BOM were to include all software and all hardware down to the lowest component level, the sheer amount of data provided will very likely work against the shared goal to prioritize, prevent and react to cybersecurity risks to protect patient health," Rothstein wrote.
