The Department of Health and Human Services Office of Inspector General recommended in a new report that the Food and Drug Administration pay even more attention to medical device cybersecurity during the process in which it evaluates products for approval to market in the U.S.
In a report issued Sept. 10, the OIG said its investigation showed that FDA already evaluates numerous aspects of cybersecurity in medical devices offered for approval including a review of cybersecurity documentation in pre-market submissions from manufacturers, consideration of known cybersecurity risks and threats and how they might apply to networked medical devices with similar risk profiles, proper cybersecurity documentation, and requests for additional information about security.
“At the time of our review, FDA had almost always cleared or approved the cybersecurity aspect of networked medical devices because manufacturers had been able to respond with supplemental cybersecurity information that FDA deemed sufficient,” the OIG said, adding, “FDA staff told us that manufacturers could use presubmission meetings to better understand what cybersecurity information FDA needs and the steps that manufacturers need to take as they design their devices.”
While acknowledging FDA’s existing focus on cybersecurity in the device review process, the OIG said the agency “could further integrate” cybersecurity into the overall review process by: promoting the use of presubmission meetings to address cybersecurity-related questions; including cybersecurity documentation as a criterion in the agency’s “Refuse to Accept” checklist for device reviews; and including cybersecurity as an element in FDA’s “Smart” template that it uses to guide its reviews of submission.
The OIG said FDA concurred with all three suggestions.