US Senate Committee on the Judiciary chair Sen. Chuck Grassley (R-IA) recently sent a letter to FDA head Dr. Scott Gottlieb grilling them on steps the agency has taken to improve its oversight and reaction time in relation to cybersecurity threats.
In the letter, written on behalf of the Committee, Grassley references a report sent this month by the Dept. of Health and Human Services Office of Inspector General outlining deficiencies within the FDA related to post market medical device cybersecurity.
In the report, the OIG highlighted “some very important issues where the FDA has room for improvement,” according to Grassley’s letter.
Points for improvement include a lack of testing of the FDA’s ability to respond to medical device cybersecurity events, noting that two district offices have no written standard operating procedures to address such issues.
The OIG recommended four action times, which included establishing written procedures and practices for sharing sensitive information about cybersecurity events with shareholders securely, as well as formal agreements with federal partners to support cybersecurity efforts.
The FDA disagreed that the lack of a formal agreement with federal partners would impede information flow, according to Grassley’s letter.
The OIG maintained its dissenting view, and said that the “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis,” according to the letter.
Grassley mentioned concerns of foreign government interference that could lead to stolen intellectual property, personal data or other unsavory interference with the medical device industry in the US, and requested that Gottlieb and the FDA respond to four specific questions.
The questions included outlining a response to the OIG’s recommendations and how they’ve implemented changes accordingly, whether the agency has assessed which foreign governments pose a threat to the industry, how Medical Device Report data is used to improve cybersecurity and for a briefing on current cybersecurity threats and how the FDA is combatting them.
Last month, the FDA said that it is partnering with the U.S. Department of Homeland Security seeking to jointly improve cybersecurity in medical devices.