I entered the world of medtech cybersecurity five years ago, not because I was a cybersecurity professional (though I play one on TV), but because I am a regulatory innovator. I had founded and was leading the Regulatory Innovation team at Booz Allen, primarily focused on supporting FDA's Center for Devices and Radiological Health. I was overseeing Booz Allen's Independent Evaluation of the Medical Device User Fee Act, as well as two projects with the Division of Digital Health, and benefit-risk decision science pilot with the Office of Product Evaluation and Quality. I was deeply committed to regulatory innovation as a means of medtech innovation.
Cybersecurity captured my attention. As I learned about the regulatory issues and complications of continuous postmarket vulnerability assessments, I realized that cyber could be the fastest path to speedier regulatory decisions. I came to believe that cybersecurity requirements for medtech will drive us (i.e., the industry, the regulators, the vendors to the industry) to reach continuous benefit-risk assessment at scale. In turn, continuous benefit-risk assessment is a necessary stepping stone toward achieving the promise of speed and scale of digital health (e.g., artificial intelligence, machine learning, real-world data, simulation).
"continuous benefit-risk assessment is a necessary stepping stone toward achieving the promise of speed and scale of digital health"
Here's how cybersecurity is paving the way.
Background: As of October 1, (virtually), all FDA medical device submissions must include:
a software bill of materials (SBOM);
a plan to address both "known unacceptable vulnerabilities" and "critical vulnerabilities that could cause uncontrolled risks," and
a "reasonably justified cycle" for patching.
With just that short new guidance and a few reasonable assumptions, it is conceivable that medical device manufacturers will need to evaluate a product's benefit-risk profile more than ten times per month. Bear with me, I will present this like a logical "proof:"
Assume "unacceptable" or "uncontrolled" is defined as "the device's benefit-risk profile has changed due to this new vulnerability."
Thus: Evaluating a vulnerability is equivalent to evaluating a device's benefit-risk profile.
Assume quarterly patching is a "reasonably justified cycle" (though many products are on an annual cycle).
Assume the typical device is affected by at least 10 new vulnerabilities per month, any one of which may be "critical" and need a patch before the end of the quarter.
Thus: The manufacturer must evaluate all 10 new vulnerabilities per month to determine whether any are "critical."
#2 and #6 logically lead to: The manufacturer must evaluate the benefit-risk profile of its device at least 10 times per month.
Assume manufacturers will automate vulnerability evaluation with SBOMs (e.g., procure commercial software), because 10 evaluations/month/product is unsustainable.
Assume FDA will use the same commercially-available software to monitor SBOMs for critical vulnerabilities.
Assume that since manufacturers know FDA could use their SBOMs to evaluate vulnerability assessment, manufacturers will ensure the evaluations meet FDA's evaluation requirements for safety and effectiveness.
Overall Conclusion: Taken together, these assumptions lead to the conclusion that, as an industry, we need to continuously evaluate postmarket benefit-risk assessment, and we will automate most of it.
Continuous, semi-autonomous, benefit-risk assessments. This would represent a profound leap. We'll be able to assert the safety and effectiveness of algorithm updates, software changes, UI designs, and more, faster than we can build them. Enabled by an infrastructure that was developed to meet cybersecurity requirements.
I once believed that FDA's digital health efforts (e.g., PreCert) were a leading edge of regulatory change. Now I believe cybersecurity requirements are the vanguard of regulatory innovation.
~Shannon, the Optimistic Optimizer
Ps. I love feedback and engagement, especially if you think I've missed the mark. Let me know what you think!