FDA awards $2.8m for expansion of medical device cybersecurity programs

The Medical Device Innovation Consortium (MDIC) has been awarded $2.8 million in funding by the U.S. Food and Drug Administration (FDA) for the expansion of the Case for Quality and medical device cybersecurity programs.

This award will develop and evaluate a variation of the Case for Quality Voluntary Improvement Program pilot (CfQ VIP) for medical device manufacturing sites that identify as having quality system issues or have been determined to be out of compliance with the quality system regulations. This variation will assess whether using a quality maturity assessment process that evaluates the execution of a quality system instead of compliance, leads to faster improvements in quality and compliance. The award also expands proposed work on threat modelling for cybersecurity of medical devices. A systematic approach to threat modelling can enable manufacturers to effectively address system level risks, including but not limited to risks related to the supply chain, design, production, and deployment. As an integral part of managing medical device cybersecurity risk, integration of threat modelling provides a blueprint to strengthen security through the total product lifecycle of medical devices.

Jeff Shuren, director of FDA’s Centre for Devices and Radiological Health (CDRH), said: “MDIC has been an essential partner for the Case for Quality since 2015. The expansion of this program will enable us to further collaborate with MDIC to enhance the success of CfQ VIP while promoting high-quality devices and increasing patient safety. Further, we are encouraged that the work being done by MDIC on cybersecurity threat modelling could ultimately help medical device manufacturers strengthen their cybersecurity efforts, leading to safer, more resilient medical devices that improve patient lives. We remain committed to our MDIC partnership and identifying opportunities like these to enhance our work together.”

The new CfQ effort will apply the systemic improvement focus of the quality maturity appraisal used by the CfQ VIP, product safety metrics, and incorporate regulatory compliance perspective using the ISO 13485 standard. 

MDIC will study the adoption and use of advanced manufacturing practices in non-medical device industries and contrast against the use in medical device industry, identify barriers within the industry that prevent adoption, and to inform how adoption of these best practices can improve quality, performance, and compliance. It will be launching a boot camp series on cybersecurity threat modelling for medical devices; and the development of threat modelling best practices for device stakeholders.

Together, MDIC will help CDRH and industry determine if the success of the CfQ VIP for compliant manufacturers can also help non-compliant medical device manufacturers accelerate their returning to a compliant state of operation while implementing improvements that not only address compliance gaps but also promote higher product quality.

Additionally, MDIC’s work on cybersecurity threat modelling for medical devices aims to enable manufacturers to address system level risks, including risks related to the supply chain, design, production, and deployment.