HHS OIG on Cybersecurity and the FDA

The Office of the Inspector General (OIG) of Health and Human Services (HHS) recently released a 25 page report on the FDA's regulatory function in the medical device cybersecurity is domain. The report opens with a rehashing of real and imagined cyber risks, including those reported on by self appointed "white hat" hackers and other vulnerabilities that have not been identified to having actually caused any harm. The FDA's current cybersecurity review process is briefly addressed, which is noted to be based at least in part on its 2014 Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This Guidance covers both 510(k) and PMA reviews. In brief, manufacturers are requested (if not quite required) to provide (1) a cybersecurity risk hazard analysis and associated controls, (2) plans for validating and updating their software, (3) a description of supply chain controls, and (4) relevant user instructions. These matters are addressed in the general course of the FDA's review process which may include requests for further information as result of the initial review, and assuming FDA's refusal-to-accept is not triggered by a serious lack of relevant information despite cybersecurity not currently being a separately enumerated information category. The IOG report adds to FDA's current effort three specific recommendations. Presubmission meetings: The report says that greater use of presubmission meetings could allow manufacturers to...
Source: Medical Connectivity Consulting - Category: Information Technology Authors: Tags: Data Security Standards & Regulatory Uncategorized Source Type: blogs