OIG Publishes Findings of Audit of FDA’s Policies and Procedures Covering Postmarket Cybersecurity Risk to Medical Devices

The HHS’ Office of Inspector General (OIG) has released the results of an audit of the policies and procedures of the Food and Drug Administration (FDA) for addressing postmarket medical device cybersecurity. OIG discovered a number of deficiencies that need to be addressed.

The FDA has been tasked with making sure that medical devices that come to market are safe, secure and effective and include cybersecurity defenses to stop cyberattacks. The FDA has created policies and procedures to ensure cybersecurity protections are reviewed before healthcare devices are made available to healthcare providers. The FDA has also developed programs and procedures for dealing with medical device problems such as cybersecurity issues in the postmarket phase.

OIG determined that the way the FDA deals with postmarket medical device cybersecurity incidents needs to be improved, especially recalls of devices that have vulnerabilities that hackers could exploit to alter the functionality of the devices or steal patient information. OIG discovered that written standard operating procedures for recalls of devices were lacking in two of the 19 FDA district offices that were audited.

Although the FDA has developed plans and procedures for handling cybersecurity incidents, OIG reports that the FDA has yet to thoroughly test those plans and procedures.

Due to FDA’s inability to evaluate risks from medical device security incidents and its ineffective strategies to respond to incidents, the FDA’s attempts to deal with medical device vulnerabilities were prone to inefficiencies, delays, and inadequate analysis.

OIG has recommended that the FDA should:

  • Constantly evaluate cybersecurity threats to medical devices and improve plans and procedures as needed
  • Create written procedures for the safe sharing of sensitive data about cybersecurity incidents with stakeholders
  • Sign an official agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team covering functions and responsibilities
  • Make sure there are established policies and procedures that cover the recall of healthcare devices with cybersecurity vulnerabilities

The FDA has been working hard to ensure medical device cybersecurity is appropriately addressed, but at the time that OIG conducted its fieldwork, the FDA had yet to address many of the issues that OIG found. Over the following months, the FDA had addressed several of the issues covered by the OIG report.

The FDA concurred with OIG’s recommendations; but, the FDA didn’t agree with OIG’s suggestion that it had failed to evaluate medical device security at the enterprise level and neither that inadequate policies and procedures were in place.