The U.S. Department of Health and Human Services has found that the Food and Drug Administration’s (FDA) plans and processes were deficient for addressing medical device cybersecurity compromises.

The Office of Inspector General (OIG) identified several shortcomings in the organisation including:

• The FDA’s policies and procedures were insufficient for handling postmarket medical device cybersecurity events
• The FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices
• In two of the 19 district offices, the FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats.

The report did state that no evidence was found of the FDA mismanaging or responding untimely to a reported medical device cybersecurity event, but existing policies had meant efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.

Some shortcomings included that since the inception of the Cybersecurity Workgroup in 2013, the FDA had not developed and implemented procedures to ensure it efficiently received and shared information about cybersecurity vulnerabilities, exploits and threats that potentially affected medical devices.

This included not establishing email accounts or electronic mailboxes for the group to receive information about vulnerabilities, exploits and threats despite having a facility for receiving complaints; had not developed a resource like an application or a form to receive cybersecurity threat; not defined a method for the group to securely share sensitive information associated with cybersecurity vulnerabilities with external stakeholders; or formalised the ability to receive or share cybersecurity vulnerability information with other federal agencies.

The OIG therefore recommended that the FDA:

• Continually assess the cybersecurity risks to medical devices and update its plans and strategies when appropriate
• Establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know”
• Enter into a formal agreement with Federal agency partners, including the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities as well as the support those agencies will provide to further FDA’s mission related to medical device cybersecurity
• Ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats

The FDA responded by saying it had implemented some of the recommendations which was noted by the OIG, and cited three occasions when they had “adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices.”

The organisation also disagreed with conclusions that its pre-existing policies and procedures were insufficient regarding post-market cybersecurity.