In a report released Thursday, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) says it found weaknesses in the US Food and Drug Administration’s (FDA) policies and procedures for handling postmarket medical device cybersecurity vulnerabilities.
With the proliferation of networked medical devices, both FDA and medical device makers have increased their focus on cybersecurity. In recent years, FDA has organized public workshops and issued both pre-
guidance on cybersecurity issues and has issued advisories for several high-profile cybersecurity vulnerabilities, most recently
for Medtronic cardiac implanted electrophysiology devices (CIED).
The report, which sought to address FDA’s internal plans and processes for communicating and addressing postmarket device cybersecurity vulnerabilities, found that while FDA had such plans in place, they were “insufficient for handling postmarket medical device cybersecurity events.”
The report also found that FDA had “not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices” and did not have written standard operating procedures in two of its 19 district offices.
According to OIG, “these weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process.”
Based on its audit, OIG is recommending that FDA:
- “Continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies;
- Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a ‘need to know’;
- Enter into a formal agreement with Federal agency partners … establishing roles and responsibilities as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity; and
- Ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.”
However, OIG says that FDA has been taken “proactive steps to address [its] findings,” since the office conducted its field work from fall 2016 to spring 2017.
In the interim, FDA has implemented some of OIG’s recommendations, such as forging closer with the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) through a new memorandum of understanding
between the two agencies.
The report follows closely after another OIG report
that made recommendations for FDA to better integrate cybersecurity into its premarket review process for devices by bringing up cybersecurity during the presubmission phase, adding cybersecurity documentation to the agency’s Refuse-To-Accept checklists and adding cybersecurity to its ‘Smart’ review template.