OIG: FDA's post-market cybersecurity policies and procedures are lacking

The FDA isn't doing enough to address the cybersecurity of medical devices that are already on the market, according to a new analysis from the Office of Inspector General.

Because of these deficiencies in these policies and procedures, public health—and the FDA's mission itself—is at risk, according to the audit, which the agency watchdog released Thursday morning.

Cybersecurity continues to be top of mind in the industry as data breaches increase this year. Between Jan. 1, and Oct. 1, there were 277 data breaches reported to the Office for Civil Rights. During the same period the year before, there were 271 breaches.

In a critical report that took the occasional laudatory turn, the OIG outlined the problems the FDA faces with post-market cybersecurity and recommended how the agency can fix them.

The FDA has not sufficiently tested how well it can respond to cybersecurity emergencies related to medical devices, according to the OIG. Additionally, in two of the FDA's 19 district offices, the agency did not have standard operating procedures for responding to medical device recalls associated with cybersecurity vulnerabilities.

To better protect the public from potential threats, the FDA should "continually assess cybersecurity risks to medical devices" and update its strategies accordingly. The agency should also make sure it has established procedures for sharing "sensitive information" about cyberattacks and for dealing with cybersecurity-related recalls of medical devices.

The FDA, in responses filed with the OIG, said it does in fact have sufficient policies and procedures in place and that it had already addressed some of these problems.

"The recent OIG report on the agency's postmarket cybersecurity activities provides an incomplete and inaccurate picture of the FDA's oversight of medical device cybersecurity in the postmarket phase," the FDA wrote in response to the report.

But the FDA also said it would keep working on the OIG's recommendations—work that in some cases has already begun. For instance, the FDA has signed memoranda of understanding with two information sharing and analysis organizations.

That the FDA has agreed with the OIG's recommendations is a good sign, OIG cybersecurity and IT audit director Jarvis Rodgers told Modern Healthcare, adding "FDA's actions are a positive step forward, and we think it's a positive step that the FDA is attempting to lead by example."

The FDA was critical of specific parts of the report, though, telling the OIG that it had, contrary to the audit, looked into medical device cybersecurity of specific components and more broadly, at the enterprise level.

The FDA also criticized how the critiques were framed.

"OIG fails to contextualize its observations within the extensive, well-established post-market policies and procedures," the FDA wrote in response to the report.

Cybersecurity has been an ongoing concern for the FDA. In October, the agency released new draft guidance for premarket submissions, updating its 2014 final guidance. In the new document, the agency called for manufacturers to release cybersecurity bills of materials, which would list all the components in medical devices so end users can keep a closer eye on their security.

"FDA has started along the correct path with the inclusion of cybersecurity in the premarket guidance, as well as the addition of enhancing their internal controls as it relates to the post-market," Rodgers said. "As a result of our work, the FDA is in a much stronger position to deal with a potential cybersecurity threat."