FDA’s ‘Medical Device Safety Action Plan’ Focuses on Product Life Cycles and Preventing Cyberattacks

In an effort to improve safety, the US Food and Drug Administration (FDA) has announced a new “action plan” to address concerns throughout the life cycle of medical devices, from premarket review through postmarket surveillance, with emphasis on the growing importance of cybersecurity.

In a statement issued April 17, 2018, FDA Commissioner Scott Gottlieb, MD, announced the release of the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health.

“Although medical devices provide great benefits to patients, they also present risks,” Gottlieb said. “And we are focusing equal attention on advancing new frameworks for identifying risks and protecting consumers.”

In recent years, the FDA’s medical device oversight has faced criticism from all sides. Some have accused the agency of approving devices on the basis of weak evidence and surrogate endpoints, with cardiovascular devices making up the largest class of recent FDA recalls. Others have complained that delays to device approvals are putting patients at risk and deterring innovation.

Safety and Streamlining

The five key elements of the new plan are:

• Establishing a medical device patient “safety net” to detect emerging safety signals quickly and take appropriate actions
• Exploring regulatory options to streamline and speed up postmarket mitigations when problems arise, including requiring companies to make labeling changes or implement user training
• Spurring innovation towards safer devices by offering companies incentives when they strive to make their devices safer in the absence of any emerging concerns
• Advancing medical device cybersecurity to assess and manage vulnerabilities that could harm patients and disrupt clinical care
• Integrating premarket and postmarket offices and responsibilities within the agency, and advancing use of the Total Product Life Cycle (TPLC) approach

In the 18-page document, the FDA explains that the reorganization effort will allow its employees “to take a more universal view of device oversight.” Until now, the agency’s medical devices center, the Center for Devices and Radiological Health (CDRH), has been primarily organized and staffed according to the stage of the product’s life cycle rather than by the type of product being regulated.

“Although that structure allows our employees to become specialized by function, it does not always promote the type of communication and collaboration that is proving essential to the continuously evolving innovation of medical devices,” the document states.

The new plan would put all individuals involved in device oversight into teams and give them responsibility for a specific device prior to its approval, and throughout its commercialization and ongoing use in patient care.

Beefing Up Cybersecurity

The cybersecurity section of the plan details how the FDA will consider requiring companies to disclose to the agency and to medical-device customers a “Software Bill of Materials,” to keep them aware of devices that may be subject to vulnerabilities and speed up the postmarket mitigations process for problems that do arise. The cybersecurity measures also include efforts to better protect against such things as ransomware campaigns that could disrupt clinical operations and delay patient care as well as vulnerabilities in systems that could enable individuals to carry out remote, multipatient, catastrophic attacks.

Within the report, the FDA says it also will explore the development of a CyberMed Safety (Expert) Analysis Board, which they envision as a public-private partnership designed to complement existing device vulnerability coordination and response mechanisms, and to serve as resource for both device makers and the agency.

“Medical device safety is a key priority for the FDA,” Gottlieb observed. “We’re committed to protecting American patients by minimizing avoidable risks and advancing device technologies that are delivering growing benefits.”