The Office of Inspector General (OIG) at the Department of Health and Human Services says the FDA is not sufficiently outlining how it will respond to cybersecurity risks for medical devices in the postmarket phase.
This conclusion came after the OIG conducted an audit of the agency’s policies and procedures and issued a report on November 1, 2018. “We conducted this audit because OIG had identified ensuring the safety and effectiveness of medical devices and fostering a culture of cybersecurity as top management challenges for HHS,” the OIG wrote in its report.
Findings
The OIG said the FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity issues in medical devices, and in 2 of 19 district offices, the FDA had not established written standards for how to address recalls of medical devices that are vulnerable to cyberattacks.
Further, the OIG said deficiencies existed in the FDA’s processes because “at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA’s mission, as part of an enterprise risk management process.”
Recommendations
The OIG report came up with four recommendations for the FDA:
- “continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies;
- establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know”;
- enter into a formal agreement with Federal agency partners, namely the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity; and
- ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.”
FDA Responds
The report noted the FDA agreed with the OIG recommendations and said it had already implemented many of them during the audit and would continue working to implement the recommendations in the report.
However, the FDA disagreed with the OIG’s conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its preexisting policies and procedures were insufficient.
The OIG stood by the report and said their findings and recommendations are valid.
Grassley Jumps In
Then, on November 9, Senator Chuck Grassley, chairman of the Senate Judiciary Committee, got in on the action. He wrote FDA Commissioner Scott Gottlieb, M.D., to say that OIG’s “revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit. I think you can agree, action must be taken to reduce and eliminate these threats”
Grassley asked Gottlieb to provide written answers to four questions with regard to OIG’s report by November 23. The questions relate to steps taken to address each of the four OIG recommendations and whether FDA has assessed the possibility of foreign governments or other entities being threats to postmarket medical device cybersecurity.
To read the full 34-page OIG report, click here.
