OIG Audit Asserts Concerns About FDA Oversight of Device Security

The security of medical devices has long been a worry for covered entities and some business associates, with fears intensifying as more are connected to the internet. Often the main challenge has been the reluctance, if not downright refusal, of manufacturers to provide patches and updates to address vulnerabilities, claiming they were forbidden to do so by the Food and Drug Administration (FDA).

In 2013, while warning that devices were vulnerable to cyberattacks, FDA actually had to issue a statement correcting the misperception that it didn’t allow patches (RPP 7/13, p. 1). In 2014, agency officials pledged to begin looking at device security through the “total product lifecycle” (RPP 10/14, p. 4). The agency has issued a host of draft and final guidance documents since that time, and has “taken significant steps…towards the vision of a healthy and resilient cyber ecosystem.”

But a recent audit by the HHS Office of Inspector General (OIG) found that FDA is falling short on device security. The audit, released Nov. 1, is titled “The Food and Drug Administration’s Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices.”

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field