Healthcare industry stakeholders say the FDA should consider a type of measuring stick when evaluating a vendor’s cybersecurity culture to decide whether it meets the requirements for the agency’s proposed fast-past program for premarket approval of "software as a medical device" products (SaMD). Until the end of the last month, the FDA accepted proposals on its working model for a SaMD pre-approval program.

The FDA will take the comment into consideration as it improving its plan for the proposed program.

The FDA is suggesting the vendors of specific medical devices software (which includes various mobile apps) should be pre-certified and enabling them to be omitted from the FDA’s premarket approval process for hardware-based medical devices.

The agency stated that its present guidelines for medical device hardware are not suited for the new validation used for SaMD.

It was suggested by the agency that they should base the evaluation on five culture of quality and organization excellence principles. The said that the FDA will evaluate a company's approach to product quality, patient safety, clinical responsibility and whether it has a “proactive culture."

The American Medical Association said the FDA should use "relevant existing standards" and should account for the diverse size of applicants when evaluating vendors.

The AMA also said "The framework explains that there are widely identified gold standard frameworks, programs and processes free to support the proposed principle on cybersecurity responsibility. National Institute of Standards and Technology’s framework is an analog for the dominating FDA goal to balance adjustable quality principle demonstration with the need to ensure a suitable level of consistency and structure across organizations seeking precertification."

Others also mentioned that the FDA should consider a vendor's execution of industry standards - including the use of accepted cybersecurity frameworks commenters and varied security certifications as a sign of cybersecurity responsibility.

Medical Device maker Roche Diagnostics stated "We strongly support the FDA's intent to consider certifications already in place. This supports a least troublesome reach for product precertification.”

Roche Diagnostics, a participant in the FDA's precertification pilot program also commented, "For example, an organization's existing ISO certifications compliance with existing standards and regulations; and cybersecurity certifications - for example HITRUST certifications, should be considered.”

“The FDA should take a “holistic" initiative to evaluate a vendor's execution to cybersecurity” The Healthcare Information and Management Systems Society commented.

HIMSS commented that "Effective cybersecurity need extensive processes to ensure security risk alleviation occurs at every stage of the product lifecycle."

HIMSS also stated, “The purposes for the purposes of the precertification program, the medical risk of the intended use of the device should be the sole element considered for eligibility of a particular product to follow the accelerated pathway to market."

Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security Consortium said that aside from the FDA gathering comments on its proposed plans for a SaMD precertification program. When it comes to the cybersecurity of the products, many healthcare industry stakeholders are concerned about a continuing lack of openness from a medical devices manufacturer.