The regulator agreed with the report’s three premarket review recommendations.
As the Internet of Things has come to grip healthcare, so too have cybersecurity hazards. To defend against hacking, the U.S. Food and Drug Administration (FDA) has analyzed cybersecurity issues and protocols in its review of medical devices. But the authors of a new report argue that the regulator can do more to bolster a product’s cyberdefenses before it hits the market.
The U.S. Department of Health & Human Services’ Office of Inspector General (OIG) published the document (PDF) yesterday, providing three recommendations to the FDA. The agency should use presubmission meetings to discuss cybersecurity issues, mandate the inclusion of cybersecurity criteria in screening documents and add cybersecurity to its “smart” template, the OIG said.
FDA leaders, who have spent a great deal of time advocating for medical device cybersecurity in recent years, welcomed the advice. The FDA said it has “concurred” with all three suggestions and is working to implement them.
Still, the authors praised the FDA’s efforts to enhance cybersecurity thus far, from the formation of an in-house workgroup to guidance documents and outreach activities.
“However, FDA could do more to integrate its assessment of cybersecurity for networked medical devices into its premarket review process,” the OIG wrote. “From our observations, FDA is making limited use of key tools that could support consistency, efficiency and effectiveness in its premarket review of cybersecurity.”
The report comes at a time of unprecedented cybersecurity threats. Cyberattacks on medical devices are becoming more common, as are baked-in vulnerabilities. Ransomware and other attacks have exposed sensitive patient data and, as the OIG notes, hold the power to “impact a hospital system and disrupt the delivery of healthcare.”
Each type of device comes with its own risks. Infusion pumps with an automated connections and default password, for example, may welcome attackers to a hospital’s network, giving them the ability to change a patient’s medication dosage. Implantable pacemakers and medical imaging systems also carry weaknesses that hackers can exploit to affect care.
In FDA review processes, device manufacturers must analyze their products’ cybersecurity risks and mitigation controls. Several years ago, the regulator issued guidance to help device makers prepare for and successfully complete this journey.
Still, the OIG found, the FDA continues to “receive initial submissions that insufficiently cover cybersecurity.”
By more fully integrating cybersecurity into refuse-to-accept checklists and the agency’s smart template, the FDA could chip away at this problem and others like it, according to the OIG. Presubmission meetings, meanwhile, could improve the quality of cybersecurity information and decrease review time.
Before penning the report, OIG officials interviewed FDA staffers, examined submissions and review notes from 2016 and analyzed relevant policies, procedures and guidance documents.
Get the best insights in healthcare analytics directly to your inbox.