FDA deficient on device cybersecurity readiness, watchdog says
- HHS' office of inspector general in a new audit called FDA's policies and procedures deficient for addressing postmarket cybersecurity threats to medical devices.
- Specifically, FDA had not adequately tested its ability to respond to cybersecurity emergencies involving devices, and in two of 19 district offices had no written standard operating procedures covering recalls of vulnerable devices, OIG found.
- FDA said the report paints "an incomplete and inadequate" picture of the agency's oversight of medical device cybersecurity.
U.S. government agencies are scrambling to improve strategies for addressing and preventing cybersecurity risks to medical devices and healthcare organizations after a wave of attacks against the industry in the past two years, including the high-profile WannaCry breach in May 2017.
Earlier this week, HHS officially opened a health sector cybersecurity coordination center, called HC3, to promote coordination and information sharing among government agencies and industry to identify patterns and bolster detection of threats.
In October, FDA published a cybersecurity playbook in conjunction with Mitre Corporation, and FDA and the Department of Homeland Security announced a new framework to coordinate medical device cybersecurity efforts.
The agency's Medical Device Safety Action Plan, unveiled in July, calls for the integration of the Center for Devices and Radiological Health's premarket and postmarket offices.
OIG's audit focused on FDA's internal processes for addressing the cybersecurity of medical devices after they hit the market. The report said that while FDA had procedures to address certain problems arising with medical devices, those processes were insufficient to deal with cybersecurity events. The reason, OIG said, is the agency had not sufficiently identified cybersecurity as an emerging public health risk.
FDA disagreed with OIG's conclusion that it had not assessed medical device cybersecurity at an enterprise level and that its pre-existing policies were insufficient. In a lengthy response, FDA Associate Director for Science and Strategic Partnerships Suzanne Schwartz said the agency has been and remains proactive on the issue and has already implemented several of the OIG's recommendations.
"Like the evolving nature of the devices regulated — and cybersecurity threats faced — the FDA's regulatory approach is not static. We have, and we will continue to, refine and expand the regulatory framework we have put in place," Schwartz wrote.
OIG recommended FDA:
- Continually assess the cybersecurity risks to medical devices and update its plans and strategies.
- Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders.
- Enter into a formal agreement with federal agency partners, namely the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities related to medical device cybersecurity.
- Establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats.