Share this article on:
The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase. Several deficiencies in FDA policies and procedures were identified by OIG auditors.
Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients.
The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas.
One area of weakness concerns how the FDA handles postmarket medical device cybersecurity events, including recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.
While plans and procedures for dealing with cybersecurity events have been developed by the FDA, the agency’s ability to respond to cybersecurity incidents had not been adequately tested, according to OIG.
OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”
Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”
OIG recommended that the FDA:
- Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
- Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
- Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
- Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.
The FDA has been proactively addressing the issue of medical device cybersecurity; however, at the time of OIG’s fieldwork in the spring of 2017, the FDA had not yet properly addressed the emerging issue of medical device cybersecurity.
OIG notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. By the time that the draft report was issued, the FDA had already addressed some of OIG’s recommendations.
The FDA concurred with all of OIG’s recommendations; however, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate. The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.