The FDA is putting increased emphasis on responsible disclosure policies as part of aftermarket cybersecurity guidelines. At the same time, medical device buyers are becoming more aware of potential cybersecurity risks and creating their own purchasing guidelines related to device security. Increasingly, medical device companies are finding that having a responsible disclosure policy in place is a competitive advantage as well as a regulatory requirement. However, most responsible disclosure programs were designed by and for the software industry and do not properly address the legal and regulatory requirements, data confidentiality issues and potential for patient harm that medical device manufacturers must account for.
An infusion pump manufacturer came to Battelle for help in putting together a responsible disclosure policy. While their device had not been hacked, they realized that the life-critical nature of the device gave it a very high risk profile and made it likely to come under heavy scrutiny from security researchers. They wanted to be proactive and develop a comprehensive responsible disclosure policy of their own rather than waiting for definitive guidance from the FDA.
The company needed a responsible disclosure policy that would fit well with their existing internal policies, procedures and workflows. We worked with them to understand their current risk management and quality systems and developed a responsible disclosure procedure that worked within the systems they already had in place. Our framework included the public policy that was posted on their website and the internal procedures that will be followed in the event that a report comes in. We were able to clearly define the flow of information through the organization, the decision gates at each point in the process, the people responsible for making decisions at each step, and the decision matrix that would be used to determine next steps. The policy was designed with clear connections into their existing risk control and quality processes. We also provided extensive internal education for all stakeholders in the company, including senior management and legal teams, to assist with the culture shift that was required to make the policy successful. Finally, we conducted some test exercises to validate the process.
The groundwork laid by this process put the company well ahead of the industry curve, and made them better prepared to meet new FDA guidelines for responsible disclosure. With all stakeholders fully on board, the company is sending a clear signal to the FDA, the security community and their buyers that they are making cybersecurity a priority.