Lawmaker Seeks Answers to OIG’s Findings on FDA’s Cybersecurity Policies

A recent report from the Office of the Inspector General (OIG) “highlighted some very important issues” where the US Food and Drug Administration (FDA) “has room for improvement,” Sen. Chuck Grassley (R-IA) argued in a letter to FDA Commissioner Scott Gottlieb.
 
The 9 November letter from Grassley, chairman of the Senate Judiciary Committee, follows on the heels of the findings and recommendations OIG at the US Department of Health and Human Services outlined in a 1 November report on FDA’s actions around medical device cybersecurity.
 
OIG’s “revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit,” Grassley said, citing medical devices’ potential for exploitability by foreign actors. “I think you can agree, action must be taken to reduce and eliminate these treats,” Grassley told Gottlieb.
 
Grassley called on Gottlieb to provide written answers to four questions with regard to OIG’s report by 23 November in support of strengthening FDA’s policies and procedures around postmarket cybersecurity risks to medical devices. The questions relate to steps taken to address each of the four OIG recommendations and whether FDA has assessed the possibility of foreign governments or other entities being threats to postmarket medical device cybersecurity.
 
Grassley further argued it is “important Congress gain a better understanding of what” the agency does with the information received via medical device reporting (MDR) of adverse events as it receives “hundreds of thousands” of MDRs each year. He asked Gottlieb to explain how FDA is using MDR data, whether it is being used to improve medical device cybersecurity and whether the agency’s MDR system can be used to report cybersecurity-related concerns.
 
On behalf of the Senate Judiciary Committee, Grassley also requested the commissioner provide staff members with a briefing on current cybersecurity threats to medical devices and FDA steps to combat these threats. “Cyber risks to the health care sector are real, ongoing, and all reasonable efforts must be taken to combat them to protect patients,” Grassley said.
 
Meanwhile, FDA has pushed for greater use of cybersecurity considerations across the total product lifecycle as connected medical devices continue to proliferate the global market.
 
The agency finalized guidance on postmarket cybersecurity for medical devices last year and issued newly drafted guidance last month to update 2014 premarket policies. It is also collaborating with the International Medical Device Regulators Forum for global regulatory harmonization of cybersecurity terminologies and it has officially recognized the first set of voluntary consensus standards around cybersecurity.