OIG: cybersecurity must be further integrated into FDA premarket review process
To more fully address the vulnerabilities of networked medical devices, the Food and Drug Administration should further integrate cybersecurity into the premarket review process for these devices.
That’s the finding of an audit by the Department of Health and Human Services’ Office of Inspector General.
Networked medical devices cleared or approved by the FDA, such as hospital-room infusion pumps and diagnostic imaging equipment, can be susceptible to cybersecurity threats if the devices lack adequate security controls, according to the OIG.
While the FDA reviews the cybersecurity documentation in premarket submissions that manufacturers submit before the devices can be marketed, the regulatory agency can do a better job of integrating cybersecurity into its overall review process, contend auditors.
In particular, the OIG pointed out that the two tools—Refuse-To-Accept checklists and Smart template—that FDA reviewers use to facilitate their analysis of networked medical devices were developed before the increase in submissions of these devices and in cybersecurity threats such as ransomware.
“FDA’s ‘Refuse-To-Accept’ checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information,” states OIG’s report. “Also, FDA’s ‘Smart’ template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions that they should consider and also lacked a dedicated section for recording the results of the cybersecurity review.”
OIG recommended that the agency promote the use of pre-submission meetings to address cybersecurity-related questions, include cybersecurity documentation as a criterion in FDA's Refuse-To-Accept checklists, as well as include cybersecurity as an element in the Smart template.
In written comments to OIG’s report, FDA concurred with all three of the audit’s recommendations and noted that the agency has started taking steps to implement them.