The FDA needs to step up efforts related to medical device cybersecurity, according to a new assessment by the Office of the Inspector General with the U.S. Department of Health and Human Services (HHS). The report, issued this week, concludes the FDA is severely lacking in protocols for responding to patient safety concerns related to medical devices that could be vulnerable to hacking or other cybersecurity events.
The report recommends the FDA set up a program of continual assessment of medical device cybersecurity risks, develop communication plans for instances in which specific threats come to light, and partner with other federal agencies in the creation and implementation of response strategies.
There have been no instances of patient safety actively compromised by shortcomings in federal cybersecurity oversight, the report concedes. But there is concern the FDA hasn’t fully adjusted to a new era of interconnected digital communication that can compromise the safety of a device well after it’s gone through the clearance process.
“These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and FDA’s mission, as part of an enterprise risk management process,” the report states.
The FDA’s reception to the report is mixed. According to the Office of Inspector General, the FDA agreed with several specific recommendations for improvement and has already begun the implementation process for certain adjustments. At the same time, the FDA refuted the notion that previous efforts were lacking.
(Main image credit: Associated Press)