FDA to Improve Reviews of Medical Device Cybersecurity

The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report recommending the Food and Drug Administration (FDA) should assess cybersecurity controls more closely and more fully merge cybersecurity into the premarket assessment process for medical devices.

At present, the FDA evaluates cybersecurity documentation as part of the premarket assessment process to ensure that medical devices incorporate effective cybersecurity controls prior to granting approval for the devices to be marketed. FDA reviewers base their assessments on 2014 FDA cybersecurity guidelines and evaluate the controls that have been put in place by manufacturers to reduce the risk from current cyber threats.

The FDA looks at cybersecurity risks and threats impacting specific devices and and assesses other medical devices with same risk profiles against those threats. If there is a known risk to a specific model of cardiac device, for example, all other manufacturers’ cardiac devices will be tested against that specific threat.

The FDA also assesses cybersecurity controls using the following data supplied with premarket submissions:

  • Hazard analysis evaluations
  • A medical device’s security risk matrix
  • The controls that have been deployed to reduce known risks to an acceptable level
  • Plans for upgrading software throughout the product lifespan

The FDA also conducts assessments of software supply chain controls and the instructions supplied by device manufacturers and their cybersecurity recommendations for users of those devices.

In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information to the FDA.

In general, the FDA’s examination of medical equipment cybersecurity controls are adequate, although OIG found three areas for improvement: The FDA ought to alter internal procedures to ensure that questions concerning cybersecurity are asked sooner in the acceptance process, presubmission meetings should address cybersecurity-related concerns, and the FDA’s Refuse-to-Accept checklist needs to have cybersecurity incorporated in the Smart template.

OIG said in its report that the FDA welcomed feedback and has agreed to implement all three recommendations. Two recommendations have already been implemented although changes have not yet been made to the Refuse-to-Accept checklist. On this last point, the FDA accepts that this has potential to improve the efficiency of the approval process as it will ensure FDA reviewers have all the information they need so they will not have to subsequently contact the manufacturer to supply further information.

The FDA has mentioned that its review process is not set in stone and it is proactively improving its policies and processes with respect to cybersecurity and takes new threats to device security into consideration when reviewing premarket submissions. Further, the FDA is also in the process of updating regulations covering network-capable healthcare devices to ensure that cybersecurity controls are considered at the very first stage of the design process.