From: The National Law Review
Jessika Tuazon | Epstein Becker & Green, P.C.
On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”
Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.
Leave a Reply