In September 2018, the Office of the Inspector General (OIG) published a report of its findings following an examination of the Food and Drug Administration’s (FDA) policies, procedures, and guidance in connection with cybersecurity reviews of networked medical1 devices. The OIG concluded that, while the FDA has begun to incorporate cybersecurity concerns as part of its review process, the FDA should take steps to ensure its cybersecurity review is systematic and consistent. The OIG specifically recommended that the FDA:
- Promote the use of the FDA’s pre-submission program (Pre-Sub Program) to discuss cybersecurity concerns
- Include cybersecurity documentation as a criterion in the FDA’s current Refuse To Accept checklists
- Revise its “Smart” template to prompt FDA reviewers with specific cybersecurity questions
After the OIG report, the FDA responded by saying that in the coming weeks it will overhaul its 2014 cybersecurity guidance, including by providing a list of commercial and off-the-shelf software and hardware components with known vulnerabilities.
The FDA can reject connected devices after performing a cybersecurity review of premarket device submissions because of potential risks to individuals from cyberattacks affecting connected medical devices. While these devices help advance medical treatment, they can be vulnerable to cybersecurity threats. The OIG’s objective of this review was to “examine the Food and Drug Administration’s review of cybersecurity risks and controls to mitigate those risks before it clears or approves networked medical devices for use in the United States.”
According to the OIG report, the FDA reviewers consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to devices that display similar risk profiles. The reviewers will request more documentation and meetings about cybersecurity with the manufacturers if submissions do not contain the information necessary for an adequate review.2 The FDA has also established an internal cybersecurity workgroup, conducted industry educational activities, and begun adding cybersecurity as a special control for certain premarket notification submissions.