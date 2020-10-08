There are some U.S. FDA work items that have been hampered primarily by the COVID-19 pandemic, and some that have just proven difficult to push across the finish line. The FDA’s October 2018 draft guidance for premarket considerations for cybersecurity in medical devices might fall into that latter category, but the FDA’s Suzanne Schwartz said the agency will reissue another draft version of that guidance, which will be available sometime in early 2021.

The 2018 draft guidance was an overwrite of a final guidance issued four years earlier, but the 2018 edition drew fire on several counts. Perhaps the most unsettling aspect of the draft for industry was that it created two tiers of cybersecurity risk, which would be overlaid on the device’s inherent risk, a scenario some said would engender confusion.

Schwartz, who serves as the director of the FDA’s Office of Strategic Partnerships and Technology, said the Center for Devices and Radiological Health (CDRH) is still keen on raising awareness of cybersecurity concerns, particularly given that patient safety is part of that picture. She noted that the center has issued guidance for both the pre- and postmarket side for med tech, adding that the total product life cycle approach is still critical.

CDRH sees cybersecurity as a subset of the Quality Systems Regulation, Schwartz said, adding that the response to these threats will be iterative, a fact of life that will make its way into the center’s guidances on the subject. The 2018 draft was published with what Schwartz described as “an unusually lengthy comment period,” of 150 days, adding that the agency received a large volume of useful response. That response will be used to write a new draft guidance “that we look forward to being able to issue later on in 2021,” she said.

Pandemic created a more fertile ground for hackers

Brenda Sharton, a partner in the Boston office of Goodwin Procter LLP, said a description of the worst-case scenario in cybersecurity is dependent on circumstances, but added that cybersecurity reports spiked after the COVID-19 pandemic began because hackers saw a larger field of opportunity. “We’re seeing it settle in at two to three times the normal rate,” Sharton said, part of which is engendered by the drastic increase in the use of telehealth. Ransomware has also spiked, and was reportedly the cause of a death in Germany after a woman was turned away from a hospital in Dusseldorf, but died before staff at a nearby hospital could treat her.

Sharton recommended that device makers and other private-sector entities double down on cybersecurity as a result of the heightened risk. “If you remember nothing else after this seminar, call your IT people and ask if [they] have multi-factor authentication in place,” she recommended, adding that nation-state actors are also increasingly active of late. This is particularly the case where intellectual property is concerned, but there is also an uptick in the use of phone calls to obtain payment for fraudulent billings. Sharton said another increasingly common ploy is to call a company and threaten a dump of confidential information unless a company executive responded in a short span of time, such as within 30 minutes.

Sharton said a company should not leave itself in a position of having to learn about cybersecurity on the fly, explaining, “you want to have a certain amount of muscle memory” in dealing with such problems. Some seemingly trivial measures could prove tremendously helpful if ransomware takes a company’s system offline, such as a printed copy of the incident response plan. Another measure that can help an entity right itself in a ransomware scenario is the installation of secured communication software on employee cell phones.

However, another crucial question is: “Is your cyber-insurance up to date, and does it cover ransom?” Sharton said. Device makers may want to think about the aftermath as well. “Think about two months after the cyberattack. You’re going to hear from the regulators,” she said, adding that executives will want to be able to explain to regulatory entities that they took robust measures to ward off an attack. Once a company decides what sort of narrative might be indicative of the exercise of due diligence, it has at least a fairly useful roadmap of the steps it should undertake immediately.

Schwartz said the agency would expect a device maker to be transparent with customers about an event or a threat, particularly given that the threat may evolve and expand over a period of days and weeks after the initial attack. She said a device maker should not wait until it has a precise picture of the nature and scope of the threat to communicate with others, again because of the evolutionary nature of many attacks. The information can be conveyed with the advisory that the understanding of the attack is likely to evolve.

Device makers may want to consider paying more attention to software and hardware vendor management as an aspect of cybersecurity, particularly before a contract is undertaken. The vendor can be held contractually liable for breaches that come through their product, and vendor assessments should be updated routinely, particularly after an attack. Sharton suggested that a review of existing contracts is advisable with an eye toward a comparison of that vendor’s cybersecurity protocols with the performance of the best in class.