FDA Ramps Up Resources for Medical Device Cybersecurity – Source: www.databreachtoday.com

Endpoint Security
,
Governance & Risk Management
,
Healthcare

FDA’s Dr. Suzanne Schwartz on How New ‘Super Office’ Boosts Agency’s Cyber Efforts

Marianne Kolbasuk McGee (HealthInfoSec) •
February 16, 2024    

The Food and Drug Administration’s multifaceted approach to bolstering medical device security centers on several critical areas, including enhanced regulatory oversight, industry collaboration and a recent organizational change that strengthens the agency’s medical device cyber-related work, said Dr. Suzanne Schwartz of the FDA.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Under a recent reorganization of the FDA’s Office of Strategic Partnerships and Technology Innovation, also known as OST, which Schwartz heads within the agency’s Center for Devices and Radiological Health, OST has been elevated to a “super office.”

This designation gives OST – and its five newly established sub-offices – more agility to adapt and address future public health needs while continuing to advance patient safety, innovation and regulatory science.

OST’s new Office of Readiness and Response has a newly created division dedicated to medical device cybersecurity issues, including response and coordination for cyber incidents involving devices.

The new division is being led by recently hired Nastassia Tamari, the former information security director at medical device maker Becton, Dickinson and Co., Schwartz said.

“It elevates the profile of the issues. And that’s a great thing, because it is something that we have for years been putting a lot of focus and a lot of attention on and been trying to showcase,” Schwartz said. “This is the opportunity to now do that with collaborators and stakeholders across the ecosystem at large.”

An omnibus funding bill signed into law in December 2022 granted the FDA greater regulatory authority over medical device cybersecurity.

The expanded authority includes enabling the FDA to apply its “refuse to accept” policy to medical devices when it discovers cyber issues with those devices. The FDA can immediately reject premarket submissions for new devices due to a lack of cybersecurity details, such as a software bill of materials (see: Inside Look: FDA’s Cyber Review Process for Medical Devices).

While premarket review of medical devices is still handled by the FDA’s Office of Product Evaluation and Quality, that staff works closely with the experts within the agency’s new medical device cybersecurity division in OST to assess the cyber information contained in manufacturers’ premarket submissions, Schwartz said.

“We work in very close coordination. Manufacturers are taking it seriously. They understand that our reviewers have been trained and are continuously being trained and are continuously learning from the subject matter experts in this area,” she said. “There’s greater consistency around how reviews are undertaken within the area of medical device cybersecurity.”

In this video interview with Information Security Media Group, Schwartz also discussed:

• Other medical device cybersecurity-related activities underway at the FDA;
• The FDA’s collaborative work with other government agencies, including CISA, and industry groups, such as the Healthcare and Public Health Sector Coordinating Council;
• Emerging issues involving artificial intelligence and machine learning-enabled medical devices.

Schwartz, who leads the FDA’s Office of Strategic Partnerships and Innovation within the agency’s Center for Devices and Radiological Health, also chairs the center’s cybersecurity working group, which is tasked with formulating the FDA’s medical device cybersecurity policy. She also has served as co-chair of the Government Coordinating Council for the healthcare and public health critical infrastructure sector.