Cybersecurity is undoubtedly one of the biggest concerns in the medical device sector—and the U.S. FDA should take steps to improve the security of networked devices before they enter the market, asserts the Department of Health and Human Services’ Office of Inspector General (OIG) in a new report. The government watchdog agency has also laid out a list of recommendations for the FDA regarding medical device security—suggestions of which FDA had acquiesced.
“We recommend that [the] FDA promotes the use of presubmission meetings to address cybersecurity-related questions, include cybersecurity documentation as a criterion in FDA’s Refuse-To-Accept checklists, and include cybersecurity as an element in the Smart template,” OIG officials write. “FDA concurred with all three recommendations.”
The OIG’s report, titled “FDA Should Further Integrate Its Review of Cybersecurity into the Premarket Review Process for Medical Devices,” also detailed the FDA’s previous approach to medical device cybersecurity. “FDA uses its 2014 guidance on the content of premarket submissions and cybersecurity as general principles to assist its review,” OIG officials reveal. “FDA reviewers explained to us that they consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to devices that display similar risk profiles.”
For instance, if the FDA detects a possible security breach in a certain cardiac device from a certain manufacturer, the agency will regard the same threat when evaluating similar cardiac device submissions from other manufacturers.
What’s more, FDA reviewers look for cybersecurity documentation when reviewing product submissions—documentation, OIG officials maintain, that “may include a hazard analysis or a matrix that describes the device’s cybersecurity risks, controls to mitigate those risks, and threats that the manufacturer considered.” When further clarification is needed, however, or product submissions fail to provide adequate cybersecurity documentation, the reviewers may ask for more information.
Even so, the OIG found: “At the time of our review, FDA had almost always cleared or approved the cybersecurity aspect of networked medical devices because manufacturers had been able to respond with supplemental cybersecurity information that FDA deemed sufficient. FDA staff told us that manufacturers could use presubmission meetings to better understand what cybersecurity information FDA needs and the steps they need to take as they design their devices.”
Do you believe the FDA’s adherence to the OIG’s recommendations will make a big difference in the quest toward greater medical device cybersecurity? Why or why not?