On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.