- To improve medical device security, the HHS Office of the Inspector General (OIG) is recommending that the FDA better integrate cybersecurity criteria into its premarket review process for medical devices.
In a report released Sept. 10, OIG is advising the FDA to use presubmission meetings with manufacturers to address cybersecurity-related questions, to include cybersecurity documentation as a criterion in its Refuse-To-Accept (RTA) checklist, and to add cybersecurity questions to its Smart template, which the the FDA uses as a guide for its review of medical device submissions.
The RTA checklist outlines for manufacturers the minimum criteria that the FDA uses to determine whether it will accept medical device submission for substantive review. If any of the required information is missing, the FDA may refuse to accept the submission until the manufacturer provides it.
For the study, OIG interviewed FDA staff; examined 22 submissions and FDA reviewer notes for networked medical devices approved in 2016; and reviewed FDA policies, procedures, and guidance documents related to its medical device review process and cybersecurity.
“As the Federal agency responsible for regulating these devices, FDA may consider the cybersecurity risks and controls in its overall assessment of a device's safety and effectiveness. Ultimately, FDA determines whether a networked medical device may be legally marketed in the United States,” the report explained.
OIG admitted that the FDA has taken steps to address emerging cybersecurity concerns with medical devices. It has established an internal cybersecurity workgroup, issued guidance documents on medical device cybersecurity, conducted outreach activities to educate stakeholders, and requests and reviews cybersecurity information in premarket submissions for networked medical devices.
FDA reviewers told OIG staff that they consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to networked medical devices that display similar risk profiles.
“For example, if FDA identifies a cybersecurity threat to a certain cardiac device from a specific manufacturer, it considers that same threat in evaluating submissions for similar cardiac devices from other manufacturers,” the report explained.
In submissions from manufacturers, the FDA looks for cybersecurity documentation, which might include a hazard analysis or a matrix that describes the device’s cybersecurity risks, controls to mitigate those risks, and threats that the manufacturer considered.
Agency reviewers can request additional information from manufacturers when submissions lack enough cybersecurity documentation or when clarification is needed.
“However, FDA could do more to integrate its assessment of cybersecurity for networked medical devices into its premarket review process. From our observations, FDA is making limited use of key tools that could support consistency, efficiency, and effectiveness in its premarket review of cybersecurity,” OIG observed.
In its response to the OIG’s recommendations, the FDA said that it already uses the presubmission meetings to discuss cybersecurity issues, but it will “specifically mention cybersecurity in the next planned update of our presubmission guidance to further promote the use of presubmissions for cybersecurity questions.”
Regarding the inclusion of cybersecurity documentation in its RTA checklist, the FDA concurred with the OIG’s recommendation. “We believe that including cybersecurity as an item on the list could improve review efficiency by ensuring that the file containing all the necessary elements before the review is initiated rather than asking for such information, if not already in the premarket submission, during the review.”
“FDA intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.”
On the issue of including cybersecurity as an element in the Smart template, FDA said that it added a cybersecurity section to the template in 2016.
“As the medical device ecosystem continues to mature around device cybersecurity, we anticipate that the Smart template will be iteratively updated to keep pace with the evolution,” the FDA concluded.