The Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a report on Monday, calling for the Food and Drug Administration (FDA) to improve its approach to cybersecurity for medical devices already on the market, and praising FDA’s early response to the report’s criticisms.
“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” HHS OIG wrote in its report.
The FDA’s Center for Devices and Radiological Health (CDRH), which is responsible for regulating the safety of medical devices, does not test devices, but mandates manufacturer testing and requires reporting of software patches for issues that could affect user health or recalls. The FDA issued in December 2016 that included recommendations on how to handle vulnerabilities for postmarket devices.
However, HHS OIG found FDA’s plans lacking.
“We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event. However, because FDA had not sufficiently assessed the risks of medical device cybersecurity events, existing policies and procedures did not include effective practices for responding to those events,” the report noted.
Although FDA has a cybersecurity workgroup to address medical devices, the agency did not develop a public outlet to submit information to the workgroup, did not define a method to share sensitive information with stakeholders outside of FDA, and did not formalize an information-sharing relationship with other agencies, including the Department of Homeland Security. HHS OIG also criticized CDRH for failing to include cyber threats in the definition of emergency in organization documents.
FDA responded to the critiques by providing documentation that outlined the role of the cybersecurity workgroup, and updated the definition of emergency to include cyber threats, leaving HHS OIG with no further recommendations on the workgroup. However, the agency disagreed with OIG’s assertion that information sharing was affected by the lack of a formal agreement, citing the workgroup’s existing communications with the National Cybersecurity and Communications Integration Center (NCCIC).
HHS OIG also chided FDA over the lack of a cybersecurity emergency exercise, but FDA addressed the issue by conducting a tabletop exercise, leaving no recommendations.
The main area of disagreement between FDA and HHS OIG was in OIG’s assertion that FDA “had not assessed medical device cybersecurity at an enterprise or component level.” FDA disagreed, pointing to its documentation and guidance on medical device security, but OIG held firm in its assertion. Outside of that area, the agency and the inspector general seemed to be on the same page.
“We appreciate the efforts FDA has taken and plans to take in response to our recommendations,” the report noted.