FDA Reacts to Critique of Medical Device Security StrategyWatchdog Agency Cited Deficiencies, But Agency Says Many Have Already Been Addressed
The Food and Drug Administration's procedures for handling cybersecurity concerns in medical devices once they are on the market are deficient, according to a new federal watchdog agency report. But since the audit was conducted, the FDA has been aggressively ramping up its activities around medical device cybersecurity, including addressing many of the issues spotlighted in the report.
The Department of Health and Human Services' Office of Inspector General's report says the agency found FDA's policies and procedures insufficient for handling postmarket medical device cybersecurity events.
In addition, the watchdog agency notes that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. It also notes that in two of 19 FDA district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats.
The OIG report acknowledges, however, that the weaknesses existed because, at the time of OIG's fieldwork in early 2017, FDA had not sufficiently assessed medical device cybersecurity.
"We shared our preliminary findings with FDA in advance of issuing our draft report. Before we issued our draft report, FDA implemented some of our recommendations. Accordingly, we kept our original findings in the report, but, in some instances, removed our recommendations," the report notes.
Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA Center for Devices and Radiological Health, will provide an overview of the agency's recent medical device cybersecurity efforts during a presentation at Information Security Media Group's Healthcare Security Summit in New York on Nov. 13-14.
In a statement provided to ISMG, the FDA says: "Unfortunately, the recent OIG report on the agency's postmarket cybersecurity activities provides an incomplete and inaccurate picture of the FDA's oversight of medical device cybersecurity in the postmarket phase. We note that the OIG did not find evidence that FDA had mismanaged or responded untimely to a reported medical device cybersecurity event."
Despite the OIG report's "factual inaccuracies," the FDA says it has proactively addressed the OIG's preliminary observations and recommendations, many of which were steps that the FDA had already been implementing or planned to implement at the time of the audit.
The FDA notes that the OIG audit was completed during the spring of 2017.
In conducting its audit, the OIG report notes that the watchdog agency reviewed FDA's policies, procedures, manuals and guides; interviewed staff; and reviewed publicly available information on FDA's website.
"We also analyzed FDA's processes for receiving and evaluating information on medical device compromises. In addition, we tested the internal controls at FDA's Center for Devices and Radiological Health to determine whether they ensured an effective response to a medical device cybersecurity incident," OIG writes.
The FDA in its statement says it has proactively addressed three of the OIG's four recommendations. That includes implementation of formal agreements recommended by OIG to bolster FDA information sharing and response to cybersecurity events involving medical devices.
FDA notes it recently signed a memoranda of understanding with two information sharing and analysis organizations - the National Health Information Sharing and Analysis Center (recently renamed H-ISAC) - and the Sensato Critical Infrastructure ISAO.
In addition, the FDA signed an agreement with the Department of Homeland Security's National Cybersecurity and Communications Integration Center related to inter-agency work on medical device cybersecurity (see: FDA Reveals Steps to Bolster Medical Device Cybersecurity).
And in October, FDA issued a new draft document updating its premarket medical device guidance on cybersecurity, which was originally released in 2014 "as part of our ongoing efforts to continually assess the cybersecurity risks to medical devices and update our plans and strategies," the FDA notes in its statement.
A separate report issued by the OIG in September also recommended that FDA should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed. The FDA in response to that report also noted that it was implementing the recommendations.
In its most recent report, OIG also notes that FDA needs to ensure "the establishment and maintenance of procedures" for handling recalls of medical devices vulnerable to cybersecurity threats.
"Two of nineteen FDA district offices had not established written standard operating procedures that addressed recalls of medical devices that are vulnerable to cyber vulnerabilities, exploitations, or threats," the report notes. "FDA's district office staff handle recalls in accordance with their respective district offices' standard operating procedures. ... As a result, in the two districts without these SOPs, FDA had an increased risk of untimely and ineffective processing of manufacturers' recalls of medical devices vulnerable to cybersecurity vulnerabilities, exploitations and threats."
In its statement to ISMG, FDA notes that since the OIG team completed its assessment in the spring of 2017, "the FDA's district offices in May 2017 transitioned away from geographically based district offices to commodity-based program division offices, which allows staff to become subject matter experts regarding particular products. This has been a major effort aimed at achieving consistency and efficiencies across commodity programs and includes procedures for handling recalls of medical devices vulnerable to cybersecurity vulnerabilities."
Additionally, since the OIG completed its review FDA audit in 2017, FDA has announced a handful of voluntary product recalls by manufacturers for medical device cybersecurity concerns.
Those includes recalls involving implantable cardiac devices from Abbott Laboratories in August 2017 and the recent recall by Medtronic of certain internet-connected programmers for implantable cardiac devices.
The OIG report, as well as FDA's recent activity, spotlight the urgency of medical device cybersecurity issues, notes former healthcare CIO David Finn, an executive vice president at the security consultancy CynergisTek.
"Everyone in the sector, likely including the FDA, wishes all these 'fixes' could come faster," he says. "I do believe we need to move faster with comprehensive understanding of risks, incident response related to medical devices and better tracking and sharing of that information."
While the FDA has made progress in addressing many of the OIG's concerns, the industry's attention to medical device cybersecurity is a fairly recent development, Finn notes.
"What we can't forget is that this was a neglected area of focus to the device makers, the regulators and the industry as a whole. While it is a lovely thought, you cannot fix decades of neglect - during decades of technological advances, changes in healthcare delivery and changes to the cyber-threat landscape that couldn't have been anticipated - in a couple years. These will require long-term changes," he says.