The U.S. Health & Human Services Dept.’s inspector general last month flagged the FDA for its “deficient” plans and processes to ensure medical device cybersecurity, saying the federal safety watchdog’s policies and procedures are “insufficient for handling post-market medical device cybersecurity events.”
“FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats,” according to the OIG’s October report. “These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process. We shared our preliminary findings with FDA in advance of issuing our draft report. Before we issued our draft report, FDA implemented some of our recommendations. Accordingly, we kept our original findings in the report, but, in some instances, removed our recommendations.”
The report comes after a steady cadence of FDA releases this year about its cybersecurity initiatives, including the announcement last month of a memorandum of agreement with the U.S. Dept. of Homeland Security to implement a new framework that will improve coordination and cooperation between the two bodies.
The OIG’s report recommended that the FDA ink a more formal deal with DHS’s Industrial Control Systems Cyber Emergency Response Team, “establishing roles and responsibilities as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity.”
The FDA should also put established procedures in place for the secure handling of information about cybersecurity breaches with “key stakeholders who have a ‘need to know,'” according to the OIG report, and make sure its procedures for handling recalls stemming from cybersecurity issues.
“[The] FDA agreed with our recommendations and said it had already implemented many of them during the audit and would continue working to implement the recommendations in the report. However, [the] FDA disagreed with our conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its preexisting policies and procedures were insufficient. We appreciate the efforts FDA has taken and plans to take in response to our findings and recommendations, but we maintain that our findings and recommendations are valid,” the OIG’s office said in the report.