FDA to Ramp Up Medical Device Cybersecurity ScrutinyNew OIG Report Spells Out Need for Better Premarket Reviews
The Food and Drug Administration should increase its scrutiny of the cybersecurity of networked medical devices before they're approved to be marketed, a new government watchdog agency report says. FDA says it will carry out the report's recommendations.
The Department of Health and Human Services' Office of Inspector General's report recommends that FDA better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices.
In a statement provided to Information Security Media Group, FDA says it's taking steps to bolster its "already robust premarket review of networked medical devices."
In its report, OIG notes that FDA has taken steps to address emerging cybersecurity concerns in networked medical devices by issuing guidance, reviewing cybersecurity information in premarket submissions that manufacturers submit to FDA before the devices can be marketed, and, when needed, obtaining additional details from manufacturers. But it states that FDA "could take additional steps to more fully integrate cybersecurity into it premarket review process."
While OIG notes that FDA uses its 2014 cybersecurity guidance on premarket medical devices as general principles to assist its review of products, the watchdog agency suggests FDA needs to take a closer look at these devices' cybersecurity during its review process and increase engagement of makers in the process so that they better understand what FDA expects.
FDA considers known cybersecurity risks and threats when reviewing submissions and applies that knowledge to devices that display similar risk profiles, FDA reviewers told OIG.
"For example, if FDA identifies a cybersecurity threat to a certain cardiac device from a specific manufacturer, it considers that same threat in evaluating submissions for similar cardiac devices from other manufacturers," OIG notes.
"FDA reviewers look for cybersecurity documentation in the submissions. Such documentation may include a hazard analysis or a matrix that describes the device's cybersecurity risks, controls to mitigate those risks and threats that the manufacturer considered."
Also, FDA reviewers often request additional information from manufacturers when submissions lack sufficient cybersecurity documentation or when clarification is needed, the report states.
The OIG notes, however, that "at the time of our review, FDA had almost always cleared or approved the cybersecurity aspect of networked medical devices because manufacturers had been able to respond with supplemental cybersecurity information that FDA deemed sufficient. FDA staff told us that manufacturers could use presubmission meetings to better understand what cybersecurity information FDA needs and the steps they need to take as they design their devices."
OIG notes that FDA's "Refuse-To-Accept" checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information. Also, FDA's "smart" template, which the agency uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions to consider and lacks a dedicated section for recording the results of the cybersecurity review, according to the OIG report.
To address these issues, OIG recommends that FDA promote the use of "presubmission meetings" to address cybersecurity-related questions; include cybersecurity documentation as a criterion in FDA's Refuse-To-Accept checklists; and include cybersecurity as an element in the smart template.
FDA agreed with all three recommendations, the report notes.
FDA, in its statement provided to ISMG, says it has already taken steps "and is committed to ongoing proactive efforts to promote a multistakeholder, multifaceted approach of cybersecurity vigilance, responsiveness, recovery and resilience that applies throughout the life cycle of medical devices."
Because of the evolving nature of the devices regulated and cybersecurity threats faced, FDA's regulatory approach is not static, the agency tells ISMG.
"In addition to the recommendations from the OIG, FDA continues to refine and expand the regulatory framework that it has put in place," FDA says.
For example, as outlined in FDA's Medical Device Safety Action Plan, the agency has identified several important policy efforts that will continue to advance its device cybersecurity program (see FDA Proposes Action to Enhance Medical Device Cybersecurity).
Those efforts include FDA:
- Updating its premarket guidance on cybersecurity;
- Considering requiring firms to take additional steps to secure their devices, such as developing a "software bill of materials" that must be provided to FDA as part of a premarket submission and made available to medical device customers and users;
- Exploring the development of a public/private partnership to complement existing device vulnerability coordination and response mechanisms.
FDA has already initiated implementation of two OIG recommendations included in the watchdog agency's report - presubmission meetings and inclusion of cybersecurity as a specific section in the smart template, the agency tells ISMG.
"With respect to the third recommendation to include cybersecurity documentation as a criterion in the Refuse to Accept checklist, the RTA checklist is an administrative tool, and including cybersecurity as an item on the list could improve review efficiency by ensuring that the file contains all the necessary elements before the review is initiated, rather than asking for such information, if not already in the premarket submission, during review," FDA says.
Also, while cybersecurity is absent from the current RTA checklist, FDA carefully reviews the material in the submission to support device cybersecurity and, where appropriate, requests additional information and/or clarifications during the review process if not already provided in the premarket submission, FDA adds.
"Therefore, incorporating cybersecurity on the RTA checklist - in and of itself - does not alter what manufacturers must submit to FDA, the scientific analysis of the submission we perform, nor the marketing authorization decisions we make," FDA tells ISMG. "Cybersecurity information has been and will continue to be required in premarket submissions and FDA reviews such information as part of the review. FDA plans to update OIG as these three recommendations are completed."
On the Right Track
Some security experts say FDA appears to be on the right track in its efforts to advance cybersecurity in medical devices, but the OIG recommendations for further improvements make sense.
"OIG's recommendations look sound, and they dovetail with the way FDA already conducts premarket reviews," says Ben Ransford, co-founder and CEO at Virta Labs, a healthcare cybersecurity firm. "FDA's job is to ask the right questions, and OIG's recommendations seem like they're designed to make the cybersecurity aspects of FDA's job easier to get right. FDA should be aiming for consistency in its reviews."
It's important to manage expectations about FDA's procedures, Ransford adds. "They're not going to red-team test every device, and they're not going to slam on the brakes every time they identify a potential security problem," he notes. "Many security flaws are not cut and dried, and FDA is always doing many reviews in parallel. The vast majority of the nuanced work must fall to manufacturers, as it currently does."
Even if it appears that FDA is "green-lighting" most medical device premarket submissions as they relate to cybersecurity, "it doesn't necessarily mean they're being overly lax," Ransford adds. "Manufacturers are also producing better submissions because they understand the stakes have gone up."