After calling on the U.S. Food and Drug Administration (FDA) in September to further integrate cybersecurity into its premarket review process, the U.S. Office of Inspector General (OIG) has now deemed the FDA's policies and processes to be "deficient" for addressing postmarket cybersecurity incidents with medical devices.
In a report published on October 29, the OIG said that its recent audit showed that the FDA's policies and procedures were insufficient for handling cybersecurity events after devices reach the market. Furthermore, it concluded that the FDA hadn't adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. What's more, two of 19 FDA district offices had not established written standard operating procedures to address recalls of medical devices vulnerable to cyberthreats, according to the OIG.
"These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA's mission, as part of an enterprise risk management process," the OIG wrote.
The OIG said it audited the FDA's internal processes by interviewing staff and reviewing the FDA's policies, procedures, manuals, and guides. The agency also reviewed publicly available information on the FDA's website and analyzed its processes for receiving and evaluating information on medical device compromises. Next, the OIG tested internal controls at the FDA's Center for Devices and Radiological Health (CDRH) to determine whether they ensured an effective response to a medical device cybersecurity incident.
In light of its findings, the OIG recommended specifically that the FDA take the following steps:
- Continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies
- Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a "need to know"
- Enter into a formal agreement with federal agency partners, namely the Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities as well as the support those agencies will provide to further the FDA's mission related to medical device cybersecurity
- Ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats
In response to the report, the FDA told the OIG that it agreed with the recommendations and had already implemented many of them during the audit and would continue working to implement the others.
"However, FDA disagreed with our conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its pre-existing policies and procedures were insufficient," the OIG wrote. "We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid."
The full report is available on the OIG's website.
Since the OIG audit, the FDA has implemented a new framework with the DHS to ensure greater coordination and cooperation for addressing medical device cybersecurity. It also recently released a proposal to strengthen cybersecurity protection for medical devices.