FDA inadequately prepared to handle medical device hacks: HHS

Federal regulators are insufficiently prepared for the possibility of hackers wreaking havoc on medical devices like pacemakers and insulin pumps, a government watchdog has warned.

A report released Thursday by the U.S. Department of Health and Human Services (HHS) inspector general repeatedly faulted the Food and Drug Administration (FDA), the agency with oversight of commercially sold medical devices, for allegedly failing to adequately address related cybersecurity risks.

“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” the inspector general wrote in the report.

Auditors examining the agency’s internal practices determined that regulators had failed to put in place adequate policies for handling cybersecurity incidents involving FDA-approved devices, and that they had insufficiently tested their ability to respond to potential related emergencies, the report said.

“These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and FDA’s mission, as part of an enterprise risk management process,” the inspector general wrote.

“We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” the audit noted. “However, because FDA had not sufficiently assessed the risks of medical device cybersecurity events, existing policies and procedures did not include effective practices for responding to those events.”

The FDA agreed with the inspector general’s recommendations for addressing the issues, albeit not the audit’s characterization of agency’s internal practices.

“As we’ve noted in our response to the report, it provides an incomplete and inaccurate picture of the FDA’s oversight of medical device cybersecurity,” said Suzanne B. Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.

“The FDA has been and continues to work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first,” she said in a statement. “Like the evolving nature of the devices regulated — and cybersecurity threats faced — the FDA’s regulatory approach is not static. We have, and we will continue to, refine and expand the regulatory framework we have put in place.”

In 2016, medical giant Johnson & Johnson revealed that insulin pumps used by upwards of 114,000 diabetic patients in the U.S. and Canada contained security bugs that made them susceptible to hackers. More recently, St. Jude Medical asked cardiac patients in 2017 to install a security update that patched a problem affecting certain medical devices including pacemakers and defibrillators.