The FDA's policies and procedures don't sufficiently outline how to respond to cybersecurity risks for medical devices in the postmarket phase, according to a report from the HHS Office of Inspector General.
The OIG conducted an audit to assess the FDA's processes for responding to cybersecurity compromises of medical devices in the postmarket phase, such as how the agency evaluates information on medical device vulnerabilities. For the audit, the office reviewed the FDA's internal policies and interviewed agency staff.
"We conducted this audit because OIG had identified ensuring the safety and effectiveness of medical devices and fostering a culture of cybersecurity as top management challenges for HHS," the OIG wrote in its report.
Here are four findings outlined in the OIG's report:
1. While the FDA had plans and processes in place for responding to certain medical device issues in the postmarket phase, the OIG said they were insufficient for handling cybersecurity vulnerabilities. The OIG said the FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity issues in medical devices, and in two of 19 district offices, the FDA had not established written standards for how to address recalls of medical devices that are vulnerable to cyberattacks.
2. The OIG argued these deficiencies in the FDA's processes existed because "at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA's mission, as part of an enterprise risk management process."
3. Based on its findings, the OIG recommended the FDA:
- Continually assess cybersecurity risks to medical devices and update its plans and strategies accordingly
- Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with relevant stakeholders
- Enter into a formal agreement with the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team
- Establish and maintain procedures for handling recalls of medical devices that are vulnerable to cybersecurity threats
4. The FDA agreed with the OIG's recommendations and said it had already implemented some of the suggestions during the course of the audit, and pledged to continue working to implement the remaining recommendations outlined in the report. However, the FDA disagreed with the OIG's conclusion that it had not assessed medical device cybersecurity at an appropriate level, nor did it agree that its existing policies were insufficient.
The OIG responded that although it appreciated the efforts the FDA has taken in response to the report, it "maintain[s] that our findings and recommendations are valid."
To download the OIG's report, click here.