Neil P. Di Spirito, Member of the Firm in the Health Care and Life Sciences practice, in the firm’s Washington, DC, and St. Petersburg offices, was quoted in Inside Health Policy, in “HHS Report Finds FDA Postmarket Cybersecurity Lacking, FDA Fires Back,” in David Roza. (Read the full version – subscription required.)
Following is an excerpt:
FDA and the HHS Office of Inspector General are butting heads over whether the agency is equipped to address postmarket cybersecurity risks to medical devices.
A report released by the OIG last month says FDA has a long way to go on addressing such risks, pointing out a lack of written procedures for handling cybersecurity events, for sharing information between stakeholders, and for recalling vulnerable devices, as well as a lack of testing of the agency’s ability to respond to cybersecurity events in devices.
But FDA shot back, telling the OIG prior to the report’s release that its findings were “incomplete and inaccurate,” and noted the OIG conducted its fieldwork from autumn 2016 to spring 2017, during which time the agency finalized its guidance on postmarket device cybersecurity. FDA included a long list of steps it has taken since then to develop cybersecurity protocols. The agency also argued that OIG overstated the significance of several of its recommendations, such as its call for creation of a group email account for its cybersecurity workgroup.
“OIG began its audit even as FDA was still implementing the [cybersecurity] program, and OIG’s background summary as well as its findings provide an incomplete snapshot of FDA’s work,” the agency writes in its response, which was included in OIG’s report. “Fundamentally, FDA disagrees with OIG’s conclusion that FDA’s policies and procedures did not ‘adequately’ address cybersecurity risk to medical devices.”
Despite FDA’s counter punch, OIG stood by its recommendations.
But device experts had differing interpretations of the report. Neil Di Spirito, a member of the firm Epstein Becker Green, said the fieldwork that informed the report was outdated, and that FDA has “been very proactive in trying to get ahead of the curve on device cybersecurity,” he said.
“The report was not really critical of FDA,” Di Spirito told Inside Health Policy. “It’s just telling them to continually address the cybersecurity risk. As our defenses get more advanced, so do the people trying to invade those defenses.”