FDA Seeks Comments on Medical Device Cybersecurity Communications Framework Discussion Paper
On October 19, 2020, the Food and Drug Administration's (FDA) Center for Devices and Radiological Health released a draft discussion paper titled "Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework" (Discussion Paper) and invited public comment. Specifically, the FDA seeks input from a range of stakeholders to elucidate best practices when communicating with patients and caregivers about cybersecurity responsibilities regarding connected medical devices. According to the FDA, an increased use of connected medical devices, such as implantable medical devices and wearables, has led to a corresponding uptick in cybersecurity vulnerabilities and related risks. The FDA intends to use the public feedback it receives to guide future efforts to improve cybersecurity communications and potential cybersecurity frameworks, including using the feedback to inform regulatory measures and potential guidance documents.
In 2018, the FDA similarly sought public comments regarding the management of cybersecurity in medical devices. In its draft guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, the FDA explained that the need for effective cybersecurity for medical devices had become more important with the increasing use of internet- and network-connected devices and invited public comment on how to address the growing risks. Now, two years later, the Discussion Paper seeks to address how to effectively communicate these risks to the public.
In addition to soliciting general guidance, the Discussion Paper invites comments on whether and how a cybersecurity communications framework should include the following elements:
- interpretability of safety communications, including how to ensure rapid delivery of the communication, how to make it readable, clear, simple, and relevant, and how to ensure the communication is understood by diverse audiences;
- discussion of risks and benefits, including communicating when the probability of cybersecurity exploitation remains unknown, and a consideration of risks associated with mitigation;
- acknowledgment and explanation of the unknown, paying specific attention to how this risk is conveyed to avoid omissions or oversight;
- availability and findability of information regarding cybersecurity risks, including making the information easy to find in online searches, easy to view on mobile devices, and accessible to individuals with disabilities;
- guidance on the structure of the communication material, including leading with the most important information first, providing visual cues to draw attention to this important information, and grouping alike information where possible; and
- outreach and distribution vehicles, including giving consideration to the target audience, the key messages, and the means by which to reach the target audience such as via listservs, text messages, social media, television, and/or websites.
The FDA also would like opinions on whether the identified elements should be strengthened or clarified to help develop a useful framework and whether to include any other elements.
Overall, the Discussion Paper suggests that the most appropriate framework should be straightforward and targeted to its specific audience. Thus, any proposed framework will need to take into account the age, race, ethnicity, language, geography, disease, device used, or other identifying feature that could assists efforts to reach target audiences. As such, a one size-fits-all approach will likely be insufficient.
Comments must be submitted by December 21, 2020, and stakeholders wishing to engage on how they may need to provide evidence of vulnerabilities in the future should carefully consider the implementation of such a program. Please contact us for further information.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.