HHS OIG finds flaws in FDA's postmarket cybersecurity procedures

A new report by HHS' Office of Inspector General (OIG) identified weaknesses in FDA's policies and procedures for handling postmarket medical device cybersecurity vulnerabilities.

A new report by HHS' Office of Inspector General (OIG) identified weaknesses in FDA's policies and procedures for handling postmarket medical device cybersecurity vulnerabilities. The report found that FDA had "not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices" and did not have written standard operating procedures in two of its 19 district offices. OIG recommended that the FDA "continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies; establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a 'need to know;' and enter into a formal agreement with federal agency partners … establishing roles and responsibilities as well as the support those agencies will provide to further FDA's mission related to medical device cybersecurity." OIG also called on FDA to "ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats." OIG noted that FDA has implemented some of its previous recommendations, such as forging closer with the DHS' Industrial Control Systems Cyber Emergency Response Team.