OIG Tells FDA to Make Cybersecurity Concerns a Criterion for RTF
[Thursday, September 13, 2018]
In a detailed report of the current practices for application review by FDA, the Office of Inspector General (OIG), Department of Health and Human Services, recommended FDA take additional steps to assure that medical devices are protected from cybersecurity issues. These include having sponsors discuss cybersecurity issues at pre-submission meetings, adding cybersecurity assessment in the “Refuse to Accept” checklist and update its internal “Smart” template for review so the reviewers are prompted to ask specific cybersecurity questions. Cybersecurity issues related to medical devices connected to the internet has been a major concern for the last few years, particularly since increasing number of devices move towards wireless connectivity to internet, remote analysis, and real time diagnostic and disease management protocols. FDA “recommends” manufacturers address cybersecurity issues by including 5-point checks for cybersecurity issues in the market approval applications. The OIG reported these include: 1. A hazard analysis listing the cybersecurity risks that were considered and the cybersecurity controls established in the device. 2. A traceability matrix that links the actual cybersecurity controls to the cybersecurity risks that were considered. 3. Manufacturer’s plans for validating and updating the software. 4. A description of controls in the software supply chain to assure integrity. 5. Device instructions and recommended cybersecurity controls appropriate for the intended use environment (e.g., antivirus software). Currently, FDA discuss cybersecurity issues at pre-submission meetings and considers known risks in its review of applications. And many times, FDA asks for additional information to address its concerns about cybersecurity of devices under review. However, cybersecurity review has not been fully integrated in the FDA review process. OIG suggests that FDA take steps to assure cybersecurity of devices; and FDA agreed. FDA will add checks for cybersecurity information in its “Refuse to Accept” checklists for 510k and PMA applications, and update the “Smart” template for review by adding elements to prompt reviewers “with specific cybersecurity questions to consider and a dedicated section for recording the results of the cybersecurity review”. In FDA’s response to the OIG report, FDA informed that it has already taken several measures recommended over the last two years.