By Phil Englert
A few weeks ago, I was on a discussion panel with Dr. Suzanne Schwartz, MD, Director-Office of Strategic Partnerships & Technology Innovation (OST), Center for Devices & Radiological Health (CDRH), FDA. The conversation revolved around the recent regulatory changes granting FDA statutory authority over managing cybersecurity risks of medical devices.
A question came in from the audience asking for an operational perspective of how the new regulations translated into managing risks for health care providers. In that moment, I had a flash that FDA’s cybersecurity guidance was very similar in approach to The Joint Commission’s (TJC) risk management approach found in the Environment of Care (EoC) guidelines. In that aha! moment, the similarities clarified, and I’d like to explore that thread a bit farther.
My response included the observation that TJC guidelines for any of the six Environments of Care follow a consistent framework. The TJC EoC framework outline is: 1) you must have a risk management program specific to the environment. An example is medical equipment, 2) the program must adequately address specified elements, 3) there must be evidence through measurement and reporting that the program is being followed and risk management effectiveness assessed, and 4) the program will identify and pursue opportunities for improvement. More succinctly, “EC.01.01.01 requires an individual or individuals to manage risk, coordinate risk reduction activities in the physical environment, collect deficiency information, and disseminate summaries of actions and results.”
In contrast, FDA’s April 2022, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, draft guidance states FDA “will assess the adequacy of a devices security” based on five security objectives and the submissions should include information that “describes how the above security objectives are addressed by and integrated into the device design.” The Joint Commission (TJC) and the FDA’s 2020 draft premarket guidance share some similarities in their approach to managing risk within healthcare delivery organizations, particularly in the context of cybersecurity risks introduced by medical devices in the health care market.
Both the Joint Commission and the FDA’s draft guidance adopt a risk-based approach to manage risks. This means that instead of applying a one-size-fits-all approach to all aspects of health care delivery or medical device cybersecurity, they focus on identifying and prioritizing risks based on their potential impact on patient safety and overall quality of care. This is essential given the variety of health care delivery environments and the vast spectrum of medical device technologies. The safety risks of medical devices present in an ambulatory surgery center (ASC) and a trauma center are not intrinsically different but the patient tolerance for care interruption is typically higher in an ASC than the more severe cases which may present at the trauma center. While the risks may not differ significantly, outcomes due to environmental risks may vary drastically.
The TJC and FDA frameworks each emphasize the importance of identifying and assessing risks. The Joint Commission’s environment of care standards requires health care organizations to perform risk assessments related to various aspects of patient care, including the use of medical devices. Similarly, the FDA’s draft guidance on premarket cybersecurity for medical devices requires manufacturers to assess and document the potential cybersecurity risks associated with their products. The FDA expects manufacturers to consider the risks their products introduce into the health care environment including the risks associated with the transactions between those devices and systems with other end points and applications.
Both approaches encourage the implementation of mitigation strategies to address identified risks effectively. The FDA’s draft guidance emphasizes the importance of implementing appropriate cybersecurity controls and measures during the design and development of medical devices to mitigate potential risks. The Joint Commission expects health care organizations to have risk management plans that outline how they will address identified risks and prevent potential adverse events.
Both the Joint Commission and the FDA’s draft guidance promote a culture of continuous improvement when it comes to risk management. The Joint Commission expects health care organizations to monitor and evaluate their risk management strategies regularly and make necessary improvements as needed. Similarly, the FDA encourages medical device manufacturers to continuously monitor and update their cybersecurity practices throughout the device’s life cycle, considering new threats and vulnerabilities that may emerge.
Ultimately, the main goal of both approaches is to enhance patient safety and ensure the delivery of high-quality health care services. This includes the safe operations, the availability for treatment, and the integrity of the treatment and data. By addressing risks associated with medical devices and health care delivery processes, these frameworks aim to minimize the potential harm to patients and improve overall care outcomes.
While The Joint Commission’s environment of care standards and the FDA’s draft premarket guidance for medical device cybersecurity have their specific scopes and nuances, they share a fundamental risk-based philosophy that centers on patient safety and the delivery of effective health care services. I’m grateful for the gentlemen’s question that brought me to the realization that the regulatory drivers for cyber risk management of medical devices is closely aligned for both manufacturer and health care delivery. Hopefully, this commonality can improve patient safety and health care sector resilience.
Phil Englert is the director of medical device security for Health-ISAC.
