The U.S. Food and Drug Administration released a new best practices document this week to help healthcare actors and government agencies design a communication approach regarding cybersecurity vulnerabilities.
The agency’s Center for Devices and Radiological Health notes that the document is not a guidance and doesn’t create any regulatory expectations.
Instead, authors “hope that this document may be a useful resource for industry stakeholders and federal partners.”
WHY IT MATTERS
As the document notes, the increased use of connected medical devices in the country has, in turn, led to an increase in cybersecurity vulnerabilities.
During past meetings, patient advisors raised the importance of clear, actionable communication about such vulnerabilities in order to promote public health and mitigate potential harms.
With that in mind, when developing a cybersecurity communication strategy, the FDA advises stakeholders and federal partners to consider the following elements:
- Interpretability: Make it easy for people to read and understand by keeping it relevant, simple, timely and readable.
- Risks and benefits: Create a balanced discussion – especially if the device is lifesaving – to facilitate decision-making.
- Acknowledgement and explanation of the unknown.
- Availability and findability of information, including in online searches and on mobile devices.
- Structure of the communication material: Put clear, succinct messages at the top and provide visual cues.
- Outreach and distribution vehicles: Have a plan for reaching target audience members.
Just this week, Medtronic issued an “urgent” device recall for its MiniMed remote controller, for optional use with certain insulin pumps. The company said the controller could be susceptible to a cybersecurity risk and that such risks “outweigh the benefits of its continued use.”
THE LARGER TREND
Dr. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA, told Healthcare IT News this summer that it will take collective action to address medical device vulnerabilities.
Schwartz said this week’s white paper was created with the patient community in mind.
“That particular framework we scoped specifically to patients who live with medical devices, are dependent for their lives or for their health on medical devices … so that they know even what kinds of questions or things they should be bringing to their clinicians,” she said.
“And it also serves for the very same reason in helping clinicians providers understand exactly what kind of language might [they] think about as [they] communicate to a patient about their device.”
ON THE RECORD
“Communicating about medical device safety is an important part of the FDA’s work to ensure patient safety and the overall safety and effectiveness of medical devices,” said agency officials in the new document.
“As the use of connected medical devices increases and cybersecurity threats to the healthcare sector have become more frequent, it is increasingly important for the FDA, industry, and other messengers to consider ways to improve on cybersecurity safety communications.”