FDA advised to step up device cybersecurity checks premarket
- The Office of Inspector General for HHS is recommending FDA do more during its premarket review process to address cybersecurity risks for networked medical devices.
- FDA is making limited use of key tools that could make its premarket review of cybersecurity more effective, OIG said in a report.
- FDA agreed with OIG’s recommendations and said device manufacturers could use pre-submission meetings to better understand what cybersecurity information the agency needs as well as the steps companies need to take as they design their devices, according to the report.
Hackers have demonstrated that lack of security controls in connected medical devices leaves them open to cyber threats such as ransomware and unauthorized remote access. Hospital-room infusion pumps, diagnostic imaging equipment and pacemakers are among the vulnerable devices.
Cybersecurity attacks can affect a single patient or an entire hospital system. The American Medical Association has said 83% of physician practices have reported experiencing some form of a cybersecurity attack.
FDA earlier this year released its Medical Device Safety Action Plan that calls for new authorities to require manufacturers to build security updates and patch capabilities into products at the design stage and to have formal procedures in place for fast disclosure of vulnerabilities found in products already on the market.
The OIG analysis found that FDA reviewers already consider known cybersecurity threats when reviewing premarket submissions and look for documentation such as a hazard analysis or matrix that includes controls to mitigate those risks.
But FDA could further integrate cybersecurity into the premarket review process, the report said. It found that FDA checklists used to screen submissions for completeness do not include checks for cybersecurity information. Also, a "smart" template the agency uses as a guide in reviews does not prompt for specific cybersecurity questions and lacks a dedicated section for recording results of the safety review.
"Because FDA’s initial reviews of submissions do not include a check for cybersecurity information, FDA may accept 510(k) and PMA submissions that lack cybersecurity documentation, which may cause delays in FDA’s review," the OIG report said.
OIG recommended that FDA make greater use of pre-submission meetings to address cybersecurity issues, include cybersecurity as a criterion in its "refuse to accept" checklists, and incorporate cybersecurity as a stand-alone element in its smart template.
In response to the OIG report, FDA said that it is already working on implementing the recommendations, adding that it plans on updating OIG once they are completed. Specifically, FDA said that it will "specifically mention cybersecurity in the next planned update of our presubmission guidance," and "intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity."
The agency noted that its smart template was updated in 2016 to include a section on cybersecurity, but added that it will continue to iteratively update the document "as the medical device ecosystem continues to mature."
Janet Trunzo, AdvaMed's senior executive vice president, technology and regulatory affairs, said that the lobby is supportive of OIG's suggestions to FDA.
"These process improvements by the FDA are consistent with AdvaMed's Cybersecurity Principles and will reinforce activities already being done by medtech companies and the agency to help improve cybersecurity oversight by adding more transparency and predictability to the premarket review process. But these actions alone are not enough. Cybersecurity is a shared responsibility among all health care stakeholders. Providers have to do their part. Medtech companies are doing our part, and we look forward to continuing to partner with FDA," Trunzo said in a statement.