A November 2018 report issued by the Office of the Inspector General (OIG), the Food and Drug Administration’s watchdog, reveals that the FDA does not have appropriate measures in place to properly respond to cybersecurity issues related to in-use medical devices. Medical devices such as insulin pumps, pacemakers and more that can be connected to the Internet may be vulnerable to hacking attempts. The FDA’s lack of proper procedures to counter cybersecurity emergencies involving medical devices presents a significant risk to public health, according to the OIG’s report.
The OIG found that, despite being tasked with overseeing and monitoring medical devices, the FDA does not have an action plan in place to deal with cybersecurity threats to such devices. The OIG’s analysis also uncovered that two of 19 FDA district offices lack any written operating policy to deal with recalls of potentially vulnerable medical devices.
To remedy these issues, the OIG has advised the FDA to “continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies” as well as “ensur[ing] the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.” In order to accomplish these goals, the OIG has further proposed that the FDA establish partnerships with other federal agencies to help resolve cybersecurity issues and create protocols to share relevant information with key stakeholders.
In response, the FDA stated that it agreed with the watchdog’s overall recommendations while disagreeing with their conclusion that the agency’s current procedures are insufficient to counter cybersecurity attacks. The OIG’s investigation was carried out over the course of 2016 and 2017; the FDA had the opportunity to remedy certain issues observed by the OIG before the report’s release.
The OIG’s November report follows an analysis of the FDA’s policies on premarket medical device cybersecurity conducted in September 2018. Following that analysis, the OIG advocated for a broader approach to cybersecurity evaluation during the FDA’s premarket review process. The FDA agreed to follow the OIG’s recommendations in that case, and the agency has recently published amended premarket cybersecurity recommendations for the medical device industry.