FDA to bolster cybersecurity of medical devices

FDA wants companies to do more to curb hacking and other security threats in devices, according to an audit report published by HHS's inspector general office.

FDA wants companies to do more to curb hacking and other security threats in devices, according to an audit report published by HHS's inspector general office. The inspectors urged FDA reviewers to include cybersecurity to their "refuse to accept" checklist, which is a list of items that companies must submit at the beginning of the process to be considered for potential clearance or approval. The federal inspectors also recommended that FDA include cybersecurity discussions in their meetings with companies that seek to submit devices for approval, and to add it to the digital templates used for reviewing lower-risk devices. FDA officials say they are working to update its rules for how network-capable devices should be designed at their earliest stages with cybersecurity in mind. For instance, FDA could require device makers to create and distribute a "software bill of materials" that would identify all of the software that comes standard on a device. The agency is also considering forming a public-private CyberMed Safety Analysis Board that would serve as a "go-team" to investigate potential and actual device compromises at FDA's request. HHS's inspector general's office is currently preparing another report that will examine FDA's cybersecurity effort after devices have been allowed into the U.S. market.