Understanding The Inspector General's Critique Of The FDA Over Cybersecurity — And What It Means For Manufacturers

By Cynthia Schnedar and Reva Alperson, Greenleaf Health

Inspectors General are charged with providing independent and objective oversight of an agency. Each year they identify top management challenges for an agency and conduct audits or inspections of agency programs addressing those challenges.

The Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS) identified ensuring the safety and effectiveness of medical devices, as well as fostering a culture of cybersecurity, as top management challenges for the Food and Drug Administration (FDA). With those challenges in mind, OIG conducted an audit of the FDA’s internal processes to ensure cybersecurity in the postmarket phase of medical devices. The resulting report, issued by the OIG on Oct. 29, 2018, contained several criticisms of the FDA and some recommendations for how the FDA could improve. 

It is not unusual for an Inspector General’s report to find deficiencies in an agency program and recommend steps for improvement. Agencies typically, though not always, accept these recommendations and promise to implement them. What is unusual in this situation is that the FDA strongly pushed back on some of the OIG’s conclusions about the FDA’s performance in this area. To create further intrigue, U.S. Sen. Charles Grassley (R- Iowa), then chairman of the Committee on the Judiciary, jumped in to press the FDA with questions concerning the report’s findings. 

We summarize the OIG’s findings, the Agency’s disagreements with the findings, the concerns expressed by Senator Grassley, and what this means for manufacturers going forward.

Summary Of OIG Findings And Recommendations

The OIG noted that, as medical devices are increasingly connected to the internet, hospital, or other networks, the opportunities for cybersecurity compromises increase. The OIG found that the FDA lacked adequate protocols to address cybersecurity threats in medical devices in the postmarket phase, had not assessed its readiness to deal with a potential cybersecurity event, and lacked written operating procedures for medical device recalls resulting from cybersecurity vulnerabilities. According to the OIG, these deficiencies revealed the FDA’s insufficient assessment of medical device cybersecurity as a public health issue, and as an element of an enterprise risk management process.

The OIG specifically identified multiple shortcomings in the Center for Devices and Radiological Health (CDRH) Cybersecurity Workgroup — which the FDA established in 2013 to manage responses to cybersecurity events in medical devices — and in the CDRH Triaging Standard Operating Procedures (SOP), which describe CDRH’s processes for identifying, monitoring, and responding to cybersecurity events.

According to the OIG, the Cybersecurity Workgroup and the Triaging SOP each lacked detailed procedures and mechanisms both for receiving information from manufacturers, hospitals, and others about cybersecurity vulnerabilities and threats, and for disseminating that information. These inadequacies, as stated in the audit report, resulted from the FDA not formalizing the Cybersecurity Workgroup with a charter, not assessing the risk of CDRH’s handling of cybersecurity information, and not assessing medical device cybersecurity risk at an enterprise or component level.

Additionally, the OIG found that the FDA had not tested its operational abilities to respond specifically to medical device cybersecurity events, despite a prior response and recovery exercise indicating that such testing would be beneficial. The OIG also discovered that two of the FDA’s 19 district offices did not have written SOPs regarding medical device recalls due to cybersecurity weaknesses, increasing the FDA’s risk of mishandling recalls.

While the OIG found no actual instance of the FDA mismanaging a cybersecurity threat with medical devices, the OIG concluded that the FDA remained vulnerable to mismanaging a cybersecurity threat because of these shortcomings. The OIG did note that the FDA took steps to address the OIG’s preliminary findings even before the OIG issued its final report, commenting, “[w]e appreciate FDA’s proactive steps to address our findings.”

FDA Response To The OIG Report

As the OIG acknowledged, the FDA took a number of actions before the OIG report was released to heighten its commitment to promoting cybersecurity. On Oct. 1, 2018, the FDA released a statement announcing it had formalized partnerships with several non-government stakeholders to create information sharing analysis organizations (ISAOs). These ISAOs provide forums for manufacturers to share information about potential vulnerabilities and emerging threats so they can address issues earlier and provide more protection for patients.

Additionally, on Oct. 16, 2018, the FDA announced a memorandum of understanding “formalizing and enhancing” the Agency’s pre-existing partnership with the Department of Homeland Security (DHS) to share information and collaborate closely in combating issues with cybersecurity.

Overall, the FDA accepted most of the recommendations for improvement in the OIG report, but specifically countered that the report provided “an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity in the postmarket phase.” To support that assertion, the FDA pointed out that it had “made the proactive decision” to implement a program to deal with emerging cybersecurity threats, which the OIG failed to adequately account for, because the OIG began its audit as the FDA was still implementing the program.

The FDA listed a number of actions it has taken, including establishing a specialized team dedicated to this issue, issuing guidance documents, engaging with stakeholders via public workshops, conducting and participating in mock cybersecurity attack exercises, and developing and formalizing collaborative working relationships. The FDA also pointed out that it had instituted a national recall procedure after the OIG started its audit, and thus the OIG’s finding that two of the field offices had insufficient recall procedures was no longer correct.

Most significantly, the FDA disagreed with the OIG’s conclusion that the FDA’s lack of documentation had “put at risk” the effectiveness of the FDA’s oversight of cybersecurity. The FDA claimed that, through its activities in this area, “FDA has become well-respected for thought leadership on cybersecurity issues and has earned a reputation as a nimble regulator.”

In response to this pushback from the FDA, the OIG maintained its initial assessment, leaving the two agencies in disagreement about how well the FDA has performed.  

Congressional Oversight

To add further scrutiny of the FDA on this issue, on Nov. 9, 2018, Sen. Grassley wrote a letter pressing FDA Commissioner Scott Gottlieb on the Agency’s attempts to address the concerning findings in the OIG report — specifically, the conclusion that the FDA was not prepared to thwart a cybersecurity event. He also expressed concern that foreign agents would take advantage of poor cybersecurity protections to steal intellectual property and personal medical information.

U.S. Sen. Lindsey Graham (R-SC) is succeeding Grassley in his role as chairman of the Committee on the Judiciary and has also expressed support for more aggressive measures against all cybersecurity threats to U.S. infrastructure. Thus, Sen. Graham and others in Congress can be expected to have a similar interest in ensuring the cybersecurity of medical devices.

To date, neither the Judiciary Committee nor the FDA has posted on their respective websites an FDA response to the letter from Sen. Grassley, but it is probable that any FDA response will echo the themes the Agency represented in its response to the OIG’s criticism.

Significance Of The FDA’s Disagreement With The OIG’s Findings

Agencies often disagree with some of the findings in an OIG report.  However, in our opinion, the disagreement between the OIG and FDA is more strongly stated than is typical in an OIG report. In essence, the FDA believes that the OIG has not given the Agency enough credit for steps the FDA already has already taken.

Yet, this strongly stated disagreement about the OIG’s report card to the FDA on this issue should have little impact on future steps the FDA will take concerning cybersecurity. The FDA clearly stated that, while it disagreed with some of the OIG’s criticisms, the Agency remains committed to working proactively to address the OIG’s observations. In addition, senior FDA officials have frequently stated that ensuring the cybersecurity of medical devices is a top priority for the Agency. Given the constantly evolving state of technology, we can anticipate that this priority will remain in place indefinitely.

And, given the high interest expressed by the OIG and members of Congress, we can anticipate that close of oversight of the FDA on this issue also will continue for the foreseeable future. Thus, manufacturers should be alert to continued FDA action in this area, including additional guidances, workshops, and opportunities for stakeholder engagement.

A summary of the OIG report can be accessed here. The FDA’s response letter is included in the full report linked at the bottom of the page.

About The Authors

Cynthia Schnedar is executive VP of regulatory compliance at Greenleaf Health. She was formerly director of the Office of Compliance for the FDA’s CDER. During her time at the FDA, she spearheaded efforts to protect the American public from unsafe and ineffective drug products by ensuring companies comply with federal standards for quality and safety. Among her many duties, Schnedar advised the FDA commissioner, the CDER director, and other senior FDA officials on significant enforcement issues. Schnedar spent more than two decades at the Department of Justice, where she specialized in compliance and enforcement issues and served as acting inspector general. She earned a B.A. from the University of New Mexico and a J.D. from the University of Texas School of Law. You can connect with her on LinkedIn.

Reva Alperson is manager of regulatory affairs at Greenleaf Health. She specializes in researching and analyzing FDA regulatory issues and in assisting clients with strategic communications. She graduated from Vanderbilt University cum laude with a Bachelor of Science in human and organizational development with a concentration in health and human services. You can connect with her on LinkedIn.