The FDA is taking steps to increase its scrutiny of efforts taken by medical device developers to limit cybersecurity vulnerabilities in their connected products, but may need to take extra steps, according to a newly released report from the US Dept. of Health and Human Services’ Office of Inspector General.
The report analyzed the FDA’s efforts to evaluate how secure devices are prior to approval, and found that the agency is taking a number of steps to do so, but could improve upon its current strategy.
The agency is currently following rules established in 2014 to assess the cybersecurity of devices it clears, according to the report, and consider known cybersecurity risks and threats when reviewing submissions. The federal watchdog said that it is also evaluating vulnerabilities identified from similar devices that have already been cleared during the process.
Despite the efforts, the report suggested that the agency could be asking questions earlier in the process and possibly adding cybersecurity to its “Refuse-To-Accept” checklist, alongside other steps to beef up its efforts to prevent outside agents from accessing medical devices.
“As the Federal agency responsible for assuring the safety and effectiveness of networked medical devices, FDA has taken steps to address emerging cybersecurity concerns. It has established an internal cybersecurity workgroup, issued guidance documents on medical device cybersecurity, conducted outreach activities to educate stakeholders, and has begun to request and review cybersecurity information in premarket submissions for networked medical devices. However, FDA could do more to integrate its assessment of cybersecurity for networked medical devices into its premarket review process. From our observations, FDA is making limited use of key tools that could support consistency, efficiency, and effectiveness in its premarket review of cybersecurity,” the OIG wrote in its report.
The OIG report suggests that the FDA could be using presubmission meetings to discuss networked devices and cybersecurity-related questions, which in turn would improve the cybersecurity information submitted to the FDA and cut down on review time.
The report also suggests that the agency include cybersecurity as a stand-alone element in its Smart template “to thoroughly consider cybersecurity in their review and provide a specific, dedicated section where they can explain the results of their review.”
The FDA agreed with all the recommendations, and said it has begun taking steps to implement them, according to the report.