The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report that is saying the Food and Drug Administration (FDA) must study medical equipment cybersecurity controls more carefully and more fully incorporate cybersecurity into the premarket evaluation process for medical equipment.
Presently, the FDA critiques premarket submissions of cybersecurity documentation to assure that medical equipment have proper cybersecurity controls prior to authorizing the marketing of equipment. FDA reviewers utilize 2014 FDA cybersecurity guidelines whenever doing reviews of new healthcare equipment and makes certain that equipment are evaluated against new and rising threats.
The FDA takes into account cybersecurity risks and threats affecting particular devices and uses that information to all other equipment with identical risk profiles. For instance, if a known risk is particular to a cardiac equipment from one manufacturer, all other manufacturers’ cardiac equipment will be evaluated against a similar threat.
The following are included whenever examining cybersecurity controls:
- assessments of a hazard analysis
- matrices describing the equipment’s security risks
- the controls that have been applied by the manufacturer to minimize those risks to an appropriate level
- Plans for updating software program are reviewed
- software supply chain controls are evaluated
- the manufacturers’ device instructions and proposed cybersecurity controls are examined
In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information.
On the whole, the FDA’s review of medical device cybersecurity are good, even though OIG pointed out three areas for improvement:
- The FDA must modify internal processes to make sure questions regarding cybersecurity are asked early on in the approval process
- Presubmission meetings ought to deal with cybersecurity-related problems
- The FDA’s Refuse-to-Accept checklist must have cybersecurity integrated in the Smart template
Presently the Smart template does not cause FDA reviewers to ask particular cybersecurity queries and there is no section where the results of a cybersecurity review may be documented.
As per OIG, the FDA has accepted the feedback and agreed all three recommendations of OIGs . Two of the recommendations have actually been applied, with only the Refuse-to-Accept checklist not yet implemented. Concerning the latter, the FDA has accepted that this change could enhance performance as it will ensure that the file contains all the required data before the review. This will imply that it shouldn’t be necessary for FDA reviewers to get in touch with the maker to ask for additional details on cybersecurity.
The FDA has discussed that its review process is not fixed and is continually evolving and considers the evolving threat landscape. The FDA is also looking at updating guidelines on network-capable medical equipment so that cybersecurity controls are integrated at the initial phases of the design process.