WASHINGTON – The U.S. Food and Drug Administration’s policies and procedures should better address post-market cybersecurity risk to medical devices, according to an audit by the Department of Health and Human Services’ Office of Inspector General.
While the FDA has plans and processes for addressing certain medical device problems in the post-market phase, the agency’s plans and processes are deficient for addressing medical device cybersecurity compromise, specifically for handling post-market medical device cybersecurity events, the audit found.
“FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in two of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats,” the OIG wrote.
The OIG’s recommendations for the FDA include: continually assessing the cybersecurity risks to medical devices and updating, as appropriate, its plans and strategies; establishing written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know”; entering into a formal agreement with federal agency partners, including the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team and establishing roles and responsibilities, as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity; and ensuring the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.
The OIG said that before it issued the findings of its audit, the FDA had already implemented some of the recommendations.