The Office of the Inspector General (OIG) of Health and Human Services (HHS) recently released a 25 page report on the FDA's regulatory function in the medical device cybersecurity is domain. The report opens with a rehashing of real and imagined cyber risks, including those reported on by self appointed "white hat" hackers and other vulnerabilities that have not been identified to having actually caused any harm.
The FDA's current cybersecurity review process is briefly addressed, which is noted to be based at least in part on its 2014 Guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This Guidance covers both 510(k) and PMA reviews. In brief, manufacturers are requested (if not quite required) to provide (1) a cybersecurity risk hazard analysis and associated controls, (2) plans for validating and updating their software, (3) a description of supply chain controls, and (4) relevant user instructions. These matters are addressed in the general course of the FDA's review process which may include requests for further information as result of the initial review, and assuming FDA's refusal-to-accept is not triggered by a serious lack of relevant information despite cybersecurity not currently being a separately enumerated information category.
The IOG report adds to FDA's current effort three specific recommendations.
Presubmission meetings: The report says that greater use of presubmission meetings could allow manufacturers to ask FDA specific cybersecurity-related questions that they need to address as they develop their device and prepare their submission for FDA review, and that the FDA should promote such meetings during outreach. In addition, presubmission meetings, it is said, could help improve the quality of cybersecurity information that manufacturers submit to FDA and thereby decrease review times. Presently such meetings are voluntary and the report does not recommend that this be changed. Of course shortened review times, if they occur, would come at the expense of the time and resources spent in preparing for and attending the meeting, and in dealing with the FDA's "suggestions" that might result. It is also conceivable that such a meeting could result in greater demands compared to what might have made it through an actual review.
Refuse-to-Accept: The report suggests that FDA include cybersecurity as an explicit item on its refuse-to accept checklist. This seems to suggest that it not being explicit means that it does not currently trigger refusals, possible because the checklist checkers aren't being effective. If the lack of sufficient cyber information makes it past the checklist, does it also make it past the subsequent review?
Cybersecurity in Smart templates - The report recommends that the FDA should include cybersecurity as a stand-alone element in the Smart template to ensure consistent cybersecurity reviews. Smart templates are used internally by the FDA to guide the review process. While they have been described from time to time, I could not find any publicly available description of what the template actually looks like. None-the-less, the premise here is that currently the FDA reviewers are not doing an adequate job in the cyber arena, and that if their work was explicitly guided in the template, they would do a better job.
The report provides an FDA response which is positive yet restrained. FDA agrees that more can be done in presubmission meetings, although it notes that such meetings are already being used for this purpose. They agreed to "mention" cybersecurity in a subsequent update of their presubmission guidance. The FDA agreed that specifically including cybersecurity in the refusal checklist "could improve efficiency", but that in fact the checklisters where already looking for this material and that explicitly including it would not alter the actual technical review process. The FDA further responded that they have already added cybersecurity to the Smart template, and that they already update the template as necessary.
Net result: The OIG made some bland recommendations and the FDA said they were already doing the equivalent.