Federal watchdog critical of FDA’s cybersecurity efforts around medical devices post-market
THE FOOD AND DRUG ADMINISTRATION isn’t doing enough to address the cybersecurity of medical devices already on the market, according to a new analysis from HHS’ Office of Inspector General.
Because of the deficiencies in these policies and procedures, public health—and the FDA’s mission itself— is at risk, according to the audit report, released Nov. 1.
Cybersecurity continues to be top of mind in the industry as data breaches increase this year. Between Jan. 1 and Oct. 1, 277 data breaches were reported to the Office for Civil Rights. During the same period last year, 271 breaches were reported.
The FDA has not sufficiently tested how well it can respond to cybersecurity emergencies related to medical devices, according to the OIG. Additionally, in two of the FDA’s 19 district offices, the agency did not have standard operating procedures for responding to medical device recalls associated with cybersecurity vulnerabilities.
To better protect the public from potential threats, the FDA should “continually assess cybersecurity risks to medical devices” and update its strategies accordingly. The agency should also make sure it has established procedures for sharing “sensitive information” about cyberattacks and for dealing with cybersecurity-related recalls of medical devices.
“The FDA must be held accountable for addressing the device manufacturers that are not compliant with security standards,” Geisinger Health Chief Information Officer John Kravitz said. “We have a large number of these devices that need to be firewalled separately in our organization because the vendors are not held to a
strict standard by the FDA.”
At the same time, providers have a burden to bear. As David Finn, executive vice president of strategic innovation for consulting firm CynergisTek, pointed out, “Most hospitals can’t produce a comprehensive inventory of their medical devices. That’s not the device manufacturers’ responsibility.”
The FDA, in a response filed with the OIG, said it does in fact have sufficient policies and procedures in place and that it had already addressed some of the problems cited in the audit, alleging that the report paints an inaccurate picture of what’s happening today.
The Advanced Medical Technology Association, a medical device trade group, agreed. “The OIG’s further recommendations, while helpful, do not mean that the agency’s current practices are in any way insufficient,” said Janet Trunzo, AdvaMed’s senior executive vice president of technology and regulatory affairs. “The public should have confidence that FDA has a comprehensive regulatory framework to address potential cybersecurity threats.”
The FDA also noted that it is working closely with other entities, including the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, to coordinate cybersecurity efforts.
Still, the fact that the FDA agreed with the OIG’s recommendations is a good sign, said Jarvis Rodgers, OIG cybersecurity and IT audit director, adding that “FDA’s actions are a positive step forward, and we think it’s a positive step that the FDA is attempting to lead by example.”
Cybersecurity has been an ongoing concern for the FDA. In October, the agency released new draft guidance for premarket submissions, updating its 2014 final guidance. In the new document, the agency called for manufacturers to release cybersecurity bills of materials, which would list all the components in medical devices so end users
can keep a closer eye on their security.