Inspecting FDA's Oversight of Hospitals' Networked Medical Devices: OIG's 2016 Work Plan

Earlier this month, the Office of the Inspector General (OIG) for the US Department of Health and Human Services (HHS) released its Fiscal Year 2016 Work Plan, which summarizes new and ongoing OIG reviews with respect to HHS programs and operations. OIG announced that in FY 2016, the agency will examine whether the US Food and Drug Administration's (FDA) "oversight of hospitals' networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety."

Under the Federal, Food, Drug, and Cosmetic Act (FDCA), FDA regulates medical devices to ensure that they are safe and effective through a number of regulatory pathways (e.g., pre-market approval or notification). Increasingly, medical devices have begun to incorporate the use of wireless technology and software, which FDA has the authority to regulate as part of an overall marketing application or notification. These devices and the technologies or software they incorporate are generally subject to detailed Quality System (QS) regulations that govern the design and development of medical devices. See 21. CFR Part 820.

Consequently, FDA showed a renewed focus on Cybersecurity issues with the release of a Guidance document for Industry, which addresses the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This guidance explains that manufacturers should "establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 C.F.R. § 820.30(g)." Specifically, FDA's guidance recommended that this approach should appropriately address:

• identification of assets, threats, and vulnerabilities;
• assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
• assessment of the likelihood of a threat and of a vulnerability being exploited;
• determination of risk levels and suitable mitigation strategies; and
• assessment of residual risk and risk acceptance criteria.

In January 2005, FDA issued a second guidance for industry regarding Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. FDA has also launched a dedicated webpage for Cybersecurity.

Additionally, in May 13, 2015, FDA issued what appeared to be its first public Safety Communication about cybersecurity vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems. The FDA and Hospira became aware of security vulnerabilities in these infusion systems after an independent researcher released information about these vulnerabilities. According to FDA's alert, "an independent researcher ha[d] released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump's functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies."

The inclusion of this topic within OIG's report reflects the growing concern among FDA and related agencies regarding the cybersecurity of medical devices that use hardware, software, and networks to monitor a patient's medical status and transmit and receive related medical data, including protected health information (PHI) using wired or wireless communications. According to OIG, "[c]omputerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, pose a growing threat to the security and privacy of personal health information." OIG explained that Medical device manufacturers "provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device." However, OIG's plan to examine data security issues associated with networked medical devices may signal concerns as to whether the current disclosure statements and other infrastructure offer sufficient protections.

Given that OIG expects to release its findings in 2016, it will be interesting to see whether OIG's findings impact FDA's oversight of networked medical devices or future legislative processes such as the ongoing negotiations for the reauthorization of the Medical Device User Fee Amendments Act (MDUFA IV).

Depending on the outcome of OIG's findings, members of Congress, industry, patients, and related stakeholders may use the report as a platform or opportunity to call for further examination of cybersecurity in medical devices, particularly those that are connected to humans or patients directly or indirectly, as well as those that are networked within hospitals and other healthcare institutions. Such findings may be of particular interest to digital and mobile health app and software developers.

In the meantime, regulated stakeholders should consider revisiting FDA's cybersecurity guidance documents and website and begin assessing whether internal controls, quality systems, and other policies, procedures and processes are adequately taking into account potential cybersecurity risks or threats.