The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.
The US Food and Drug Administration (FDA) is responsible for ensuring that all medical devices on the market that may store confidential patient information are secure. Medical devices are required to incorporate technical safeguards that ensure they are robust to cybersecurity attacks that could either alter their functionality, and therefore harm patients, or access data stored on their systems.
“We conducted this audit because OIG had identified ensuring the safety and effectiveness of medical devices and fostering a culture of cybersecurity as top management challenges for HHS,” the OIG wrote in its report.
In recent years, FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market. The existing guidelines on the matter were out of date, due to the fast pace at which technology develops.
The FDA has also issued guidance for plans and processes for addressing medical device issues, such as cybersecurity incidents, in the post-market stage. However, OIG determined that those plans and practices are “insufficient” in several areas.
One of the issues highlighted in the OIG’s report is its concerns over how the FDA handles postmarket medical device cybersecurity events. They claim that the FDA has not tested its response during, or in the aftermath, of emergencies. These situations may include recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.
OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”
In their report, OIG investigators argued these deficiencies in the FDA’s processes existed because “at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process.”
Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”
In response to their findings, the OIG has recommended the FDA:
- Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
- Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
- Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
- Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.
The report notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. The FDA has already addressed some of OIG’s recommendations by the time the draft report was issued.
In response to the report, FDA stated that it agreed with all of OIG’s recommendations and would endeavour to incorporate them into the next draft. However, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate. The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.