The FDA has published a discussion paper on how makers of regulated products will have to develop a communication plan for cybersecurity, which includes getting information on cybersecurity risks to patients/users.
The FDA’s device center made it clear that the discussion paper for communicating cybersecurity vulnerabilities to patients is anything but a guidance, but the document gives a clear look at the agency’s current thinking on the subject. One message that comes through loud and clear is that makers of regulated products will have to develop a communication plan for cybersecurity, one which will have to account for a number of potentially costly mechanisms for getting information on cybersecurity risks to patients/users.
Cybersecurity for medical devices has been a point of emphasis at the FDA’s Center for Devices and Radiological Health (CDRH) for several years. The agency conducted a patient engagement advisory hearing in September 2019, during which the committee made several recommendations. One of these is the possible use of a color code scheme akin to the colors of traffic signals to communicate the severity of a cybersecurity threat. Another conclusion reached by the committee was that patients/users should be advised of a threat even as a countermeasure is in development.
The discussion paper seemingly echoes that sentiment in a section titled, “Keep it Timely,” stating that communication of a cybersecurity threat should be communicated with patients and caregivers as early as possible. This is particularly emphasized in the case of a serious threat to a patient’s or user’s health or life. Some stakeholders expressed misgivings about this, making the argument that disclosure of a vulnerability prior to development of a countermeasure could invite exploitation of that vulnerability by other bad actors, thus amplifying the problem.
Paper Includes Recommendation on Content, Accessibility
The discussion paper makes several other points in the context of the interpretability and utility of the messaging. In the section titled, “Keep it Relevant,” the FDA emphasizes:
- A clear explanation of the risks near the top of the communication/message;
- A call to action so that patients/caregivers can take any possible steps to mitigate the identified risk; and
- Clarity and concision in the instructions provided in the communication.
The discussion of readability of any messages about a vulnerability includes a recommendation regarding translation into non-English languages, making the point that machine translation may not be ideal for this purpose. The sponsor is also advised to acknowledge and explain any unknowns associated with a vulnerability, a measure intended to avoid any damage to the credibility of the manufacturer/developer of the device.
Because patients and users will rely heavily on web searches to obtain information about a vulnerability, the FDA recommends routine use of search engine optimization. Given that 96% of adults in the U.S. own a smartphone, any web-based content should be optimized for mobile technology. This is particularly critical for those with no broadband access at home, but this aspect of communication imposes some requirements for how information is arranged.
Among the proposed practices to address this situation is the use of sub-heads, bullets, and short paragraphs that promote readability. The FDA also advised that mobile-friendly designs and writing techniques also enhance findability, given the assumption that search engines tend to rank mobile-friendly content higher. There is also the legal requirement for accessibility under Section 508 of the Rehabilitation Act.
Formatting Considerations may be Familiar
Companies with experience in developing labels and other materials for patients and consumers might recognize some of the content of a section on communication structure. The discussion paper highlights the roles of call-out boxes, along with bold and italicized text, the latter two of which are included in a guidance dealing with boxed warnings and other precautionary statements for drugs and biotech therapeutics. The cybersecurity discussion paper states that these approaches may be useful in efforts to craft a message that is both compelling and palatable to lay audiences.
However, the more resource-consuming consideration may be found in the discussion of an outreach plan for communicating information to patients and users. An outreach plan should consider the “must-reach audience” for the materials, which would be transmitted via channels that would take into account a number of factors. Among these are:
- Age, race and ethnicity;
- Language and geographic location; and
- The patient’s/user’s disease/device used, along with any other feature that might facilitate effective communication.
The paper is not specific as to which or how many non-English languages would have to be included in any such plan, although Spanish is most commonly cited as a sole second language for device communications. The paper states also that the need to quickly communicate a vulnerability suggests a need to develop an ongoing relationship with outreach partners before the need for such communications arises. A template for those communications is also recommended.
The FDA states that the vehicles used to distribute the message to the different audiences must be adjusted to ensure the message is delivered. The choice of vehicle is also somewhat dependent on characteristics such as ethnicity. E-mail and patient listservs, text messages and social media are among the more prominently available vehicles, along with television ads and websites.
Each of these channels has its own advantages and disadvantages, such as the low cost associated with social media, which suffer from a greater credibility problem than other approaches. The FDA acknowledged that a television ad would be a highly costly approach, although information presented this way would enjoy a significant credibility advantage over other options.
The Advanced Medical Technology Association, which provided the feedback on the question of the timing of a disclosure of a cybersecurity vulnerability, argued that third-party servicers of medical device systems and equipment should be included in the scope of the recommendations. AdvaMed also pointed out that the CDRH has a number of policies for communication in the postmarket setting and urged the agency to clarify the relationship of the FDA’s expectations regarding cybersecurity communications with these other communications policies.