The Food and Drug Administration does not have strong enough procedures in place to respond to cybersecurity problems with medical devices that are already in use, according to a report released this week by the Office of the Inspector General (OIG), the agency’s watchdog.
Medical devices include everything from pacemakers to insulin pumps, and those that are connected to the internet could be vulnerable to hacking—presenting a public health risk. According to the OIG, the FDA, which oversees and monitors medical devices, is not prepared to respond to cybersecurity emergencies. The analysis also found that two of the FDA’s 19 district offices do not have written operating procedures for the recall of vulnerable medical devices.
The OIG recommended that the FDA “continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies” and “ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats.” It also recommended that the FDA partner with other federal agencies around issues of cybersecurity, and establish protocols to share cybersecurity information with stakeholders.
“I don’t necessarily feel shocked, or feel that there were any significant inadequacies that would cause me to cause me to lose any of the faith in what the FDA is currently doing,” Jeff Tully, a cybersecurity researcher and physician at the University of California, Davis Medical Center, told Gizmodo. “I think there are some good recommendations, and oversight and accountability are good. But we’re not seeing inadequacies in areas where patients are at risk.”
The FDA agreed with the OIGs overall recommendations, but disputed the conclusions that its existing policies were insufficient to handle issues that may arise, saying that the report gave “an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity in the postmarket phase.”
The OIG conducted its investigation in 2016 and 2017, and the FDA corrected some of the observed deficiencies prior to the publication of the report.
FDA oversight of medical devices comes in two stages: premarket, when it evaluates the safety and efficacy of devices before they’re approved, and postmarket, when it monitors surveillance done by companies of the products while they’re in use. Companies have to report any malfunctions or injuries to the agency, and some are asked to conduct more rigorous, additional studies.
Tully said that the FDA has done a good job working collaboratively with various stakeholders around issues of cybersecurity, building relationships with vendors, clinicians, and independent cybersecurity experts. “The relationship between the FDA and independent experts is coming into its own, and it’s healthy,” he said. He pointed to the recall of Medtronic cardiac devices, which came after independent researchers identified vulnerabilities that would allow them to hack and modify the pacemakers.
Cybersecurity in medical devices is a relatively new area of focus, Tully said. “It’s 10 to 15 years behind counterparts in finance,” he said. “It’s only something we’ve been thinking about in the past 10 years or so, and only recently something we realized we need to think about like any other element in the device. The space is still very new.”
The OIG also analyzed the FDA’s premarket cybersecurity polices in September, and recommended that the agency take a more comprehensive approach to evaluating potential cybersecurity threats during the review process, which the FDA agreed to do. The FDA also published new premarket cybersecurity recommendations for industry, which include ensuring that devices can be scanned regularly for viruses and can warn the user if a security breach is detected, in October. Tully said he anticipates the agency will publish new postmarket guidelines in the near future.