The Office of the Inspector General (OIG) published a report in September 2018 after a review of the Food and Drug Administration’s (FDA) policies, procedures, and guidance relating to cybersecurity reviews of networked medical1 devices. In its findings, covered in our recent client alert, the OIG determined that while the FDA has started to include cybersecurity concerns in its review process, the FDA should take steps to ensure their cybersecurity review is systematic and consistent. The OIG specifically provided three recommendations for the FDA:

  • Promote the use of the FDA’s pre-submission program (Pre-Sub Program) to discuss cybersecurity concerns
  • Include cybersecurity documentation as a criterion in the FDA’s current Refuse To Accept checklists
  • Revise its “Smart” template to prompt FDA reviewers with specific cybersecurity questions

The FDA has voiced its agreement with all three of the recommendations and intends to incorporate them in its next round of updates to these items. The FDA will likely promote new policies and procedures in response to OIG’s recommendations in the near future, and medical device manufacturers should prepare for these updates.

  1. U.S. Dep’t of Health & Human Servs., Office of the Inspector General, OEI-09-16-00220, FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices 1 (Sept. 2018).