We’ve been writing for a few years now about the dangers of connected medical devices and how the U.S. F.D.A. has sought to increase the security of these devices. Previously, in St. Jude Takes Steps to Secure Vulnerable Medical Implants we covered the security surrounding St. Jude medical devices. We covered how the FDA Seeks Secure Medical Device Development Lifecycle and the FDA Prescribes Safer Path for Connected Medical Devices.
Since then, security researchers continue to show that connected medical devices can be vulnerable to security attacks, such as remote access and ransomware attacks. As we wrote these at-risk devices include everything from equipment you’d find in a hospital setting to pacemakers inserted in the body.
Now, the FDA is being asked to take the good work its done and go a bit further. In a new report was issued this month by the U.S. Dept. of Health and Human Services’ Office of Inspector General that urges the FDA to take additional steps to examine the security efforts of medical device manufacturers.
According to the report, the FDA has emphasized that cybersecurity for medical devices is a responsibility shared among device manufacturers, health care providers, consumers, and FDA itself. Manufacturers design networked medical devices that can include security controls to mitigate the cybersecurity risks. They then seek FDA clearance or approval of their devices. As the Federal agency responsible for regulating these devices, FDA may consider the cybersecurity risks and controls in its overall assessment of a device’s safety and effectiveness. Ultimately, FDA determines whether a networked medical device may be legally marketed in the United States.
The report found that the FDA could take additional steps to more fully integrate cybersecurity into its premarket review process:
Promote the use of presubmission meetings to address cybersecurity-related questions
Greater use of the presubmission meetings could allow manufacturers of networked medical devices to ask FDA-specific cybersecurity-related questions that they need to address as they develop their device and prepare their submission for FDA review. FDA could promote the use of presubmission meetings when conducting outreach and awareness activities, such as presentations or workshops related to cybersecurity. In addition, the presubmission meeting could help improve the quality of cybersecurity information that manufacturers submit to FDA and decrease the amount of time it takes FDA to review a submission.
Include cybersecurity documentation as a criterion in FDA’s Refuse-To-Accept checklists
FDA should include cybersecurity as one of the items in its Refuse-To-Accept checklists to ensure that manufacturers submit cybersecurity documentation before accepting a submission for review.
FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices 14 OEI-09-16-00220
As a prerequisite of substantive review, if applicable, FDA could refuse to accept a submission until the manufacturer provides cybersecurity information needed to assess the networked medical device’s cybersecurity risks and controls to mitigate those risks.
Include cybersecurity as an element in the Smart template
FDA should include cybersecurity as a stand-alone element in the Smart template to ensure consistent cybersecurity reviews. Inclusion of this element would assist FDA reviewers to thoroughly consider cybersecurity in their review and provide a specific, dedicated section where they can explain the results of their review. FDA could further integrate cybersecurity into its overall review process. FDA's "Refuse-To-Accept" checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information. Also, FDA's "Smart" template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions that they should consider and also lacked a dedicated section for recording the results of the cybersecurity review.
To conduct this examination of the FDA’s review of the security of devices in premarket submissions, the OIG interviewed FDA staff who perform and manage the reviews. The OIG also interviewed members of the FDA's Cybersecurity Workgroup. “We examined a non-representative sample of 22 submissions and FDA reviewer notes for networked medical devices that FDA cleared or approved in 2016. We reviewed FDA policies, procedures, and guidance documents related to its medical device review process and to cybersecurity,”
Currently, the FDA is following cybersecurity device assessment rules it established in 2014 and said that it agrees with the recommendations put forward in the OIG report.