Share this article on:
The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report which recommends the Food and Drug Administration (FDA) should scrutinize medical device cybersecurity controls more closely and more fully integrate cybersecurity into the premarket review process for medical devices.
Currently, the FDA reviews cybersecurity documentation in premarket submissions to ensure medical devices have appropriate cybersecurity controls before approval is given for the devices to be marketed. FDA reviewers use 2014 FDA cybersecurity guidance as general principles when conducting reviews of new medical devices and has taken steps to ensure that devices are assessed against new and emerging threats.
The FDA considers cybersecurity risks and threats that affect specific devices and applies that knowledge to all other devices with similar risk profiles. For example, if there is a known threat to a specific cardiac device from one manufacturer, all other manufacturers’ cardiac devices will be assessed against the same threat.
Reviews of cybersecurity controls includes assessments of a hazard analysis, matrices describing the device’s security risks and the controls that have been implemented by the manufacturer to reduce those risks to an acceptable level. Plans for updating software are assessed, software supply chain controls are reviewed, and the manufacturers’ device instructions and recommended cybersecurity controls are evaluated.
In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information.
Overall, the FDA’s assessments of medical device cybersecurity are good, although OIG identified three areas where improvements could be made: The FDA should change internal processes to ensure questions about cybersecurity are asked earlier in the approval process, presubmission meetings should address cybersecurity-related issues, and the FDA’s Refuse-to-Accept checklist should have cybersecurity included in the Smart template. Currently the Smart template does not prompt FDA reviewers to ask specific cybersecurity questions and there is no section where the results of a cybersecurity review can be recorded.
According to OIG, the FDA has welcomed the feedback and has agreed to all three of OIGs recommendations. Two of the recommendations have already been implemented, with only the Refuse-to-Accept checklist outstanding. With respect to the latter, the FDA has accepted that this change could improve efficiency as it will ensure that the file contains all the necessary information prior to review. This will mean that it should not be necessary for FDA reviewers to have to contact the manufacturer to ask for further information on cybersecurity.
The FDA has explained that its review process is not static and is constantly evolving and takes into account the changing threat landscape. The FDA is also considering updating rules on network-capable medical devices to ensure that cybersecurity controls are incorporated at the earliest stages of the design process.