FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices
WHY WE DID THIS STUDY
Cybersecurity is an area with increasing risk to patients and the health care industry as more medical devices use wireless, Internet, and network connectivity. Researchers have shown that networked medical devices cleared or approved by FDA can be susceptible to cybersecurity threats, such as ransomware and unauthorized remote access, if the devices lack adequate security controls. These networked medical devices include hospital-room infusion pumps, diagnostic imaging equipment, and pacemakers.
FDA has emphasized that cybersecurity for medical devices is a responsibility shared among device manufacturers, health care providers, consumers, and FDA itself. Manufacturers design networked medical devices that can include security controls to mitigate the cybersecurity risks. They then seek FDA clearance or approval of their devices. As the Federal agency responsible for regulating these devices, FDA may consider the cybersecurity risks and controls in its overall assessment of a device's safety and effectiveness. Ultimately, FDA determines whether a networked medical device may be legally marketed in the United States.
HOW WE DID THIS STUDY
To examine FDA's review of cybersecurity in premarket submissions for networked medical devices, we interviewed FDA staff who carry out and manage the reviews and interviewed members of the FDA's Cybersecurity Workgroup. We examined a nonrepresentative sample of 22 submissions and FDA reviewer notes for networked medical devices that FDA cleared or approved in 2016. We reviewed FDA policies, procedures, and guidance documents related to its medical device review process and to cybersecurity.
WHAT WE FOUND
To help assure the public that networked medical devices are safe and effective and that manufacturers are safeguarding their devices from potential cybersecurity threats, FDA reviews the cybersecurity documentation in premarket submissions that manufacturers submit to FDA before the devices can be marketed. FDA uses its 2014 guidance on the content of premarket submissions and cybersecurity as general principles to assist its review. FDA reviewers explained to us that they consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to networked medical devices that display similar risk profiles. For example, if FDA identifies a cybersecurity threat to a certain cardiac device from a specific manufacturer, it considers that same threat in evaluating submissions for similar cardiac devices from other manufacturers.
FDA reviewers look for cybersecurity documentation in the submissions. Such documentation may include a hazard analysis or a matrix that describes the device's cybersecurity risks, controls to mitigate those risks, and threats that the manufacturer considered. FDA reviewers often request additional information from manufacturers when submissions lack sufficient cybersecurity documentation or when clarification is needed. At the time of our review, FDA had almost always cleared or approved the cybersecurity aspect of networked medical devices because manufacturers had been able to respond with supplemental cybersecurity information that FDA deemed sufficient. FDA staff told us that manufacturers could use presubmission meetings to better understand what cybersecurity information FDA needs and the steps that manufacturers need to take as they design their devices.
FDA could further integrate cybersecurity into its overall review process. FDA's "Refuse-To-Accept" checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information. Also, FDA's "Smart" template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions that they should consider and also lacked a dedicated section for recording the results of the cybersecurity review.
WHAT WE RECOMMEND
We recommend that FDA promote the use of presubmission meetings to address cybersecurity-related questions, include cybersecurity documentation as a criterion in FDA's Refuse-To-Accept checklists, and include cybersecurity as an element in the Smart template. FDA concurred with all three recommendations.