Fed­eral watch­dog crit­i­cal of FDA’s cy­ber­se­cu­rity ef­forts around med­i­cal de­vices post-mar­ket

Modern Healthcare - - News - By Rachel Z. Arndt

THE FOOD AND DRUG AD­MIN­IS­TRA­TION isn’t do­ing enough to ad­dress the cy­ber­se­cu­rity of med­i­cal de­vices al­ready on the mar­ket, ac­cord­ing to a new anal­y­sis from HHS’ Of­fice of In­spec­tor Gen­eral.

Be­cause of the de­fi­cien­cies in these poli­cies and pro­ce­dures, pub­lic health—and the FDA’s mis­sion it­self— is at risk, ac­cord­ing to the au­dit re­port, re­leased Nov. 1.

Cy­ber­se­cu­rity con­tin­ues to be top of mind in the in­dus­try as data breaches in­crease this year. Be­tween Jan. 1 and Oct. 1, 277 data breaches were re­ported to the Of­fice for Civil Rights. Dur­ing the same pe­riod last year, 271 breaches were re­ported.

The FDA has not suf­fi­ciently tested how well it can re­spond to cy­ber­se­cu­rity emer­gen­cies re­lated to med­i­cal de­vices, ac­cord­ing to the OIG. Ad­di­tion­ally, in two of the FDA’s 19 district of­fices, the agency did not have stan­dard op­er­at­ing pro­ce­dures for re­spond­ing to med­i­cal de­vice re­calls as­so­ci­ated with cy­ber­se­cu­rity vul­ner­a­bil­i­ties.

To bet­ter pro­tect the pub­lic from po­ten­tial threats, the FDA should “con­tin­u­ally as­sess cy­ber­se­cu­rity risks to med­i­cal de­vices” and up­date its strate­gies ac­cord­ingly. The agency should also make sure it has es­tab­lished pro­ce­dures for shar­ing “sen­si­tive in­for­ma­tion” about cy­ber­at­tacks and for deal­ing with cy­ber­se­cu­rity-re­lated re­calls of med­i­cal de­vices.

“The FDA must be held ac­count­able for ad­dress­ing the de­vice man­u­fac­tur­ers that are not com­pli­ant with se­cu­rity stan­dards,” Geisinger Health Chief In­for­ma­tion Of­fi­cer John Kravitz said. “We have a large num­ber of these de­vices that need to be fire­walled sep­a­rately in our or­ga­ni­za­tion be­cause the ven­dors are not held to a

strict stan­dard by the FDA.”

At the same time, providers have a bur­den to bear. As David Finn, ex­ec­u­tive vice pres­i­dent of strate­gic in­no­va­tion for con­sult­ing firm Cyn­er­gisTek, pointed out, “Most hospi­tals can’t pro­duce a com­pre­hen­sive in­ven­tory of their med­i­cal de­vices. That’s not the de­vice man­u­fac­tur­ers’ re­spon­si­bil­ity.”

The FDA, in a re­sponse filed with the OIG, said it does in fact have suf­fi­cient poli­cies and pro­ce­dures in place and that it had al­ready ad­dressed some of the prob­lems cited in the au­dit, al­leg­ing that the re­port paints an in­ac­cu­rate pic­ture of what’s hap­pen­ing to­day.

The Ad­vanced Med­i­cal Tech­nol­ogy As­so­ci­a­tion, a med­i­cal de­vice trade group, agreed. “The OIG’s fur­ther rec­om­men­da­tions, while help­ful, do not mean that the agency’s cur­rent prac­tices are in any way in­suf­fi­cient,” said Janet Trunzo, Ad­vaMed’s se­nior ex­ec­u­tive vice pres­i­dent of tech­nol­ogy and reg­u­la­tory af­fairs. “The pub­lic should have con­fi­dence that FDA has a com­pre­hen­sive reg­u­la­tory frame­work to ad­dress po­ten­tial cy­ber­se­cu­rity threats.”

The FDA also noted that it is work­ing closely with other en­ti­ties, in­clud­ing the Depart­ment of Home­land Se­cu­rity’s Na­tional Cy­ber­se­cu­rity and Com­mu­ni­ca­tions In­te­gra­tion Cen­ter, to co­or­di­nate cy­ber­se­cu­rity ef­forts.

Still, the fact that the FDA agreed with the OIG’s rec­om­men­da­tions is a good sign, said Jarvis Rodgers, OIG cy­ber­se­cu­rity and IT au­dit di­rec­tor, adding that “FDA’s ac­tions are a pos­i­tive step for­ward, and we think it’s a pos­i­tive step that the FDA is at­tempt­ing to lead by ex­am­ple.”

Cy­ber­se­cu­rity has been an on­go­ing con­cern for the FDA. In Oc­to­ber, the agency re­leased new draft guid­ance for pre­mar­ket sub­mis­sions, up­dat­ing its 2014 fi­nal guid­ance. In the new doc­u­ment, the agency called for man­u­fac­tur­ers to re­lease cy­ber­se­cu­rity bills of ma­te­ri­als, which would list all the com­po­nents in med­i­cal de­vices so end users

 can keep a closer eye on their se­cu­rity.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.