The Food and Drug Administration’s policies and procedures are not sufficient for effectively dealing with postmarket medical device cybersecurity events, an emerging risk to public health and the FDA’s mission.
That’s the finding of an audit by the Department of Health and Human Services’ Office of Inspector General.
The FDA regulates medical devices in two phases: premarket and postmarket. In the postmarket phase, after clearing or approving a medical device, the agency conducts oversight activities such as monitoring and investigating a medical device’s safety and effectiveness, and alerting the public when there are problems.
While the FDA had plans and processes for addressing certain medical device problems in the postmarket phase, the regulatory agency’s efforts were “insufficient for handling postmarket medical device cybersecurity events,” according to the OIG.
In addition, auditors noted that the agency “had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices.” Further, OIG found that in two of its 19 district offices, the FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats.
“These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process,” auditors reported.
“We shared our preliminary findings with FDA in advance of issuing our draft report,” according to auditors. “Before we issued our draft report, FDA implemented some of our recommendations. Accordingly, we kept our original findings in the report but, in some instances, removed our recommendations.”
Among the OIG’s overall recommendations are that the FDA:
- Continually assess the cybersecurity risks to medical devices and update—as appropriate—its plans and strategies.
- Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a need to know.
- Enter into a formal agreement with federal agency partners to establish roles and responsibilities.
- Ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.
In written comments to the OIG report, FDA concurred with most recommendations and said it had already implemented many of them during the audit and would continue working to implement others in the report.
Nonetheless, FDA disagreed with the OIG’s conclusion that the agency had not assessed medical device cybersecurity at an enterprise or component level, and that its pre-existing policies and procedures were insufficient.
“We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid,” concluded auditors.