The Department of Health and Human Services’ Office of the Inspector General (OIG) is calling on the US Food and Drug Administration (FDA) to further integrate cybersecurity into its review processes for medical devices.
The recommendation comes as OIG notes that currently, FDA’s “Refuse-To-Accept” checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information. In addition, FDA’s “Smart” template, which is used in submission reviews, does not prompt FDA reviewers with specific cybersecurity questions and also lacks a dedicated section for recording the results of a cybersecurity review.
“We recommend that FDA promote the use of presubmission meetings to address cybersecurity-related questions, include cybersecurity documentation as a criterion in FDA’s Refuse-To-Accept checklists, and include cybersecurity as an element in the Smart template. FDA concurred with all three recommendations,” OIG said.
Despite the issues, OIG also noted that FDA reviewers do look for cybersecurity documentation in submissions, and such documentation may include a hazard analysis or a matrix that describes a device’s cybersecurity risks, controls to mitigate those risks and threats the manufacturer considered.
FDA reviewers also “often request” more information from manufacturers when submissions lack sufficient cybersecurity documentation or when clarification is needed.
But at the time of OIG’s review, “FDA had almost always cleared or approved the cybersecurity aspect of networked medical devices because manufacturers had been able to respond with supplemental cybersecurity information that FDA deemed sufficient.” And OIG said, “FDA is making limited use of key tools that could support consistency, efficiency, and effectiveness in its premarket review of cybersecurity.”
FDA, meanwhile, emphasized that device cybersecurity is a shared responsibility among the agency, device manufacturers, health care providers and consumers.
The agency told Focus
in a statement that it "has already initiated implementation of two of these recommendations – use of presubmission meetings and inclusion of cybersecurity as a specific section in the Smart template - independent of and prior to receiving the recommendations from the study. With respect to the third recommendation to include cybersecurity documentation as a criterion in the Refuse to Accept (RTA) checklist, the RTA checklist is an administrative tool and including cybersecurity as an item on the list could improve review efficiency by ensuring that the file contains all the necessary elements before the review is initiated rather than asking for such information, if not already in the premarket submission, during review."
FDA also said it is considering an update to premarket guidance on cybersecurity, "considering new premarket authorities requiring firms to take additional steps to secure their devices, such as developing a 'Software Bill of Materials' that must be provided to FDA as part of a premarket submission and made available to medical device customers and users, and exploring the development of a public private partnership to complement existing device vulnerability coordination and response mechanisms."
FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices