FDA Seeks Feedback on Medical Device Cybersecurity Threat Communication

October 28, 2020


The U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) has issued an initial framework for communicating medical device cybersecurity vulnerability and threats to patients and caregivers.

Emphasizing the document as a “framework,” not a guidance, the FDA is seeking public feedback from patients, patient advocacy organizations, the medical device industry, clinical researchers, and others. The feedback period closes on December 21. FDA says it will use the feedback to inform future efforts designed to improve cybersecurity safety communications.

On October 22, the agency held a virtual Patient Engagement Advisory Committee (PEAC) meeting, discussing best practices elements to consider when further developing a cybersecurity communication framework for quickly and clearly notifying patients and caregivers of medical device cybersecurity threats. The PEAC stated the importance of having messages convey a “balanced discussion” between risks and benefits, especially when the probability of cybersecurity exploitation remains unknown.

The agency said it established the PEAC to help assure that the needs and experiences of patients are included as part of the FDA’s deliberations on complex issues involving the regulation of medical devices.

Prior to the advisory meeting, FDA issued Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework, which outlines how the FDA, federal partners, and industry stakeholders can better “thoughtfully inform patients and the public about cybersecurity vulnerabilities.”

Aimed at effectively communicating medical device cybersecurity risks and threats to patients and caregivers, important points from the framework include:

  • Make it easy for people to read and understand when developing safety communications, considering how to communicate the messages in clear and plain language.

  • Keep it timely whenever possible, communicate with patients and caregivers as early as possible.

  • Keep it relevant so patients and caregivers understand the risks and urgency near the top of the safety communication.

  • Keep it simple using terminology so that the audience understands the difference between the vulnerability of any affected medical devices.

  • Keep it readable for diverse audiences with information in readers’ preferred languages.

  • Make it easy for the audience to find cybersecurity threat information through online searches.