The Department of Health and Human Services Office of Inspector General says the Food and Drug Administration should further integrate cybersecurity considerations into the pre-market review process for medical devices. FDA reviewers consider known cybersecurity risks and threats when reviewing submissions and apply that knowledge to devices that display similar risk profiles. FDA reviewers also look for cybersecurity documentation in the submissions, and often request additional information from manufacturers when submissions lack sufficient cybersecurity documentation or when clarification is needed.
However, OIG found that FDA could further integrate cybersecurity into its overall review process. For example, FDA’s “Refuse-To-Accept” checklists, which the agency uses to screen submissions for completeness, do not include checks for cybersecurity information. Also, FDA’s “Smart” template, which FDA uses to guide its reviews of submissions, does not prompt FDA reviewers with specific cybersecurity questions to consider and also lacked a dedicated section for recording the results of the cybersecurity review.