- The U.S. Food and Drug Administration (FDA) appears intent on positioning medical devices within the realm of health IT infrastructure. Twice this month, the FDA has issued draft guidance on medical devices — first on Jan. 22 relating to cybersecurity, and then on Jan. 26 covering interoperability.
The cybersecurity guidance recommends that device manufacturers “implement a structured and systematic comprehensive cybersecurity risk management program and respond in a timely fashion to identified vulnerabilities.”
“All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities — some we can proactively protect against, while others require vigilant monitoring and timely remediation,” commented Suzanne Schwartz, MD, acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, in a public statement.
The agency’s guidance, open for public comment for 90 days, includes among its critical components:
- applying the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity;
- monitoring information sources for identification and detection of vulnerabilities and risk;
- understanding, assessing and detecting the presence and impact of a vulnerability;
- establishing and communicating processes for vulnerability intake and handling;
- defining essential clinical performance to develop mitigations that protect, respond to and recover from cybersecurity risk;
- adopting a coordinated vulnerability disclosure policy and practice; and
- deploying mitigations that address cybersecurity risk early and prior to exploitation.
In its draft guidance on interoperability, the FDA states, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices as well as other technology offers the potential to increase efficiency in patient care.”
The guidance, intended for medical device manufacturers, includes considerations for designing systems “with interoperability as an objective,” performance testing and risk management activities, and publicly specifying functional, performance and interface characteristics.
The FDA is looking to establish interface requirements and specifications early in a product’s lifecycle. For example, a submission for pre-market approval should include “a discussion of any electronic data interfaces found on the device, the purpose of each interface, and the anticipated users of the interfaces ... If the interface is only meant to be used by the manufacturer, this should be clearly stated. If the interface is meant to be used with only specific devices, those devices should be clearly specified.”
In addition, for a device intended “to exchange or use data with or from other medical devices, products, technologies or systems,” the description should explain how information would be exchanged and the expected impact of the exchanged information on the device or other impacted devices. Such detail may include the following elements:
- Explanation of the interface’s purpose and role within an interoperable system.
- Specification of whether the interface is meant to transmit, receive or exchange information.
- Specification of any standards used.
- Description of requirements for timeliness and integrity of the information (e.g., sample rate, transmission rate).
- Discussion of device limitations, contraindications, precautions and warnings.
- Description of the functional and performance requirements in relation to the clinical context of the information.
- Description of the application programming interface if the device can be used by other software, medical device or system.
“Device design elements that factor in interoperability considerations may improve data portability and patient safety,” according to the FDA document.