Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, asked FDA last week if it has assessed what threats foreign governments or other entities pose to postmarket medical device cybersecurity.
The series of questions to FDA Commissioner Scott Gottlieb from the senior lawmaker were triggered by an HHS Office of Inspector General audit that found fault with the agency's cybersecurity policies and procedures. Grassley found the audit "particularly troubling" in light of the potential for foreign actors to harm patients and steal personal medical information by exploiting the cybersecurity weaknesses of medical devices.
Despite the OIG's findings, FDA argues its processes to evaluate threats to medical device cybersecurity at an enterprise level are sufficient. "FDA has built a multi-faceted regulatory program specifically dedicated to mitigating the risk of cybersecurity threats to medical devices, from their inception to obsolescence," FDA wrote in response to the OIG report.
FDA's regulation and oversight of postmarket medical device cybersecurity have been subject to intense scrutiny in recent weeks. At the start of the month, the HHS OIG posted an audit that found FDA ill equipped to respond to device-related cybersecurity emergencies, and in some cases lacked written standard operating procedures for recalling vulnerable products.
Those perceived failings brought FDA to the attention of Grassley, who is involved in congressional oversight of federal entities' efforts to protect the U.S. from cyber threats. Grassley is concerned the deficiencies identified in the audit leave the U.S. vulnerable to attacks.
"These revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit," Grassley wrote. "Medical devices could be exploited by those same foreign actors to not only interfere with normal device operation, which could cause harm to patients, but also to steal personal medical information."
In light of these concerns, Grassley asked Gottlieb whether FDA has assessed the threats posed by "foreign governments or other entities." If FDA has performed such an assessment, Grassley wants to know which governments or entities FDA has identified.
Grassley asks Gottlieb to respond to the letter by Nov. 23. One question the lawmaker asks is for a summary of the fixes FDA is implementing to address the audit recommendations. HHS tasked FDA with writing cybersecurity procedures for securely sharing sensitive information about cybersecurity attacks, partnering with federal agencies and taking other steps to strengthen U.S. defenses.
The lawmaker also asked Gottlieb to brief the staff of the Senate Judiciary Committee about FDA's activities.