In Response To “Troubling” HHS OIG Report, Senator Questions FDA On Medical Device Cybersecurity Deficiencies

William Clarkson V
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On November 9, 2018, Senate Judiciary Committee Chairman Charles Grassley (R-IA) wrote to U.S. Food & Drug Administration (“FDA”) Commissioner Scott Gottlieb requesting information on FDA’s efforts to address medical device cybersecurity threats following the November 1 release of the Department of Health and Human Services Office of Inspector General’s (“OIG”) report titled “The Food and Drug Administration’s Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices.”

Senator Grassley’s letter to FDA Commissioner Gottlieb describes specific FDA medical device cybersecurity oversight and regulation deficiencies listed in the OIG report, noting that “OIG found that there was a lack of adequate testing of FDA’s ability to respond to medical device cybersecurity events, and two of its district offices had no written standard operating procedures to address recalls of medical devices that were vulnerable to cyber-attacks.”  The letter also highlights Grassley’s concerns regarding information sharing in response to cybersecurity incidents, citing OIG’s finding that “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.”

While Grassley recognizes FDA’s “proactive steps” to improve medical device cybersecurity, he states that the OIG report’s “revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit.”  To address those concerns, Grassley’s letter requests that the FDA provide a staff briefing, as well as written responses to various information requests, including:

  • Written summaries of the FDA’s efforts to implement the specific recommendations included in the OIG report;
  • Information regarding any FDA identification or assessment of foreign government/entity threats to “post market medical device cybersecurity”; and
  • Information regarding the FDA’s use of medical device reporting (“MDR”) data, including any cybersecurity-related uses.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide