- HHS OIG is recommending that the FDA establish and maintain procedures for handling recalls of vulnerable medical devices that can be exploited by attackers or other unauthorized users.
In addition, OIG advises the FDA to establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know.”
The recommendations grew out of an audit OIG conducted from September 2016 to February 2017.
OIG identified a number of shortcomings in the FDA's approach to postmarket medical device cybersecurity risks during its audit:
- FDA’s policies and procedures were insufficient for handling postmarket medical device cybersecurity events
- It had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices
- In two of 19 district offices, it had not established written standard operating procedures to address recalls of medical devices vulnerable to cyberthreats
“These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA's mission, as part of an enterprise risk management process,” OIG said in its audit.
Because the FDA did not sufficiently assess the risks of medical device cybersecurity events, the agency’s policies and procedures did not include effective approaches to responding to these events. As a result of these shortcomings, the agency’s work to address medical device security vulnerabilities were susceptible “to inefficiencies, unintentional delays, and potentially insufficient analysis.”
The FDA agreed with OIG’s recommendations, claiming that it had already implemented many of them and would continue to implement others in the report.
However, the FDA did not agree with OIG’s conclusion that the agency had not assessed medical device security at an enterprise or component level and that its policies and procedures were inadequate.
“We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid,” the OIG concluded.
In its response to the audit, the FDA said that the OIG “provides an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity in the postmarket phase. Specifically, FDA notes that fieldwork for the audit was primarily conducted during Fall 2016-Spring 2017, during which time FDA finalized its guidance on postmarket medical device cybersecurity; since then, FDA has continued to build out its cybersecurity framework.”
Earlier this year, the FDA announced its medical device safety action plan that included proposed changes to its postmarket procedures. These changes include requiring firms to adopt policies and procedures to coordinate disclosure of vulnerabilities as they are identified.
“Like computers and the networks they operate in, medical devices can be vulnerable to security breaches. Exploitation of device vulnerabilities could threaten the health and safety of patients,” observed FDA Commissioner Scott Gottlieb in announcing the plan.
The FDA is also considering requiring additional information on medical device labels for physicians, as well as more training and user education, explained Gottlieb.
As part of its plan, the FDA is proposing to set up a CyberMed Safety (Expert) Analysis Board, which would be a public-private partnership between the FDA and devices makers to complement existing device vulnerability coordination and response mechanisms.
The board would include individuals with expertise in hardware, software, networking, biomedical engineering, and clinical environments. It would assess vulnerabilities, evaluate patient safety risks, adjudicate disputes, assess proposed mitigations, serve as consultants to organizations navigating the coordinated disclosure process, and function as a “go-team” that could be deployed in the field to investigate a suspected or confirmed device compromise.
In September, OIG published an audit of the FDA's premarket medical device security policies in which it recommended that the FDA better integrate cybersecurity criteria into its premarket review process for medical devices.
OIG advised the agency to use presubmission meetings with manufacturers to address cybersecurity issues, to include cybersecurity documentation as a criterion in its Refuse-To-Accept checklist, and to add cybersecurity questions to its guide for medical device submission reviews.