The US Food and Drug Administration is considering several new measures to address medical device safety and cybersecurity, including a new public-private coordinating board to evaluate high-risk, high-impact connected devices.
The cybersecurity and related measures make up the agency’s new Medical Device Safety Action Plan, developed to focus also on issues including streamlined post-market processes; foster innovation to boost device safety; and merge the Center for Devices and Radiological Health’s (CDRH) premarket and post-market branches to advance a “Total Product Lifecycle” or TPLC approach to device evaluation and oversight.
Keeping pace with evolving cybersecurity threats and vulnerabilities is a key component of the agency’s Medical Device Safety Action Plan.
Among device cybersecurity improvements FDA proposes in the plan is the formation of the CyberMed Safety (Expert) Analysis Board (CYMSAB). The board would comprise experts from hardware, software, networking, clinical and biomedical engineering backgrounds to push integration of patient safety and clinical environment factors into assessments and validations of high-risk devices and incidents. CYMSAB responsibilities would include:
(The Trump Administration’s proposed federal budget for the 2019 fiscal year includes funding to create the CYMSAB, as well.)
Additional cyber-related proposals in the FDA Medical Device Safety Action Plan include changes to pre- and post-market requirements:
In addition to beefing up cybersecurity risk mitigation policies, FDA would also combine the pre- and post-market offices of its CDRH division in order to focus more on devices’ total product lifecycles (TPLC), which the agency argues will enhance safety oversight.
“Historically, FDA’s medical devices center, CDRH, has been organized largely according to the stage of the product’s life cycle—premarket review, postmarket surveillance, and compliance—rather than holistically by the type of product being regulated,” states the Medical Device Safety Action Plan.
Such an organization allowed for specialization according to function, but limited the regulators’ capacity to effectively oversee a rapidly evolving and innovative device sector.
According to the Medical Device Safety Action Plan, FDA would reorganize CDRH into a single unit with seven offices focused on specific device types; each of these smaller offices would manage premarket review, post-market surveillance, quality and enforcement efforts. CDRH would also launch a new office responsible for setting clinical evidence policy.