WASHINGTON – Senate Judiciary Chairman Chuck Grassley of Iowa sent a letter to U.S. Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D. seeking answers on potential cybersecurity threats to medical devices and health technology identified by the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and what steps are being taken to fix them. On November 1, 2018, the HHS OIG released a report outlining some deficiencies in the FDA’s regulation and oversight of post-market medical device cybersecurity.
“Cyber risks to the health care sector are real, ongoing, and all reasonable efforts must be taken to combat them to protect patients,” Grassley wrote. “While I applaud the proactive steps the FDA took during the course of the drafting of the report to improve medical device cybersecurity, I am writing to ensure that this progress continues and that any remaining deficiencies are fixed. The report highlighted some very important issues where the FDA has room for improvement. Specifically, the OIG stated that the FDA’s ‘plans and processes were deficient in addressing medical device cybersecurity compromises.’”
OIG recommended four action items, including the establishment of written procedures and practices for securely sharing sensitive information about cybersecurity events with stakeholders and entering into formal agreements with federal partners to support FDA’s cybersecurity mission.
“I think you can agree, action must be taken to reduce and eliminate these threats,” Grassley added.
Earlier this year, Grassley raised concerns over foreign governments using foreign agents in U.S. based research institutions to steal intellectual property using taxpayer-funded grants.
Text of the letter is available here and below.
The Honorable Scott Gottlieb, M.D.
Commissioner
U.S. Food & Drug Administration
Dear Commissioner Gottlieb,
The Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21), tasked Federal entities with strengthening the security and resiliency of critical infrastructure against physical and cyber threats. The Department of Health and Human Services was designated to oversee the health care and public health sectors in this regard. In 2017, the Health Care Industry Cybersecurity Task Force identified as an “imperative” the need to “increase the security and resilience of medical devices and health IT” in order to keep patients safe and protect their information from vulnerability or exploitation. Cyber risks to the health care sector are real, ongoing, and all reasonable efforts must be taken to combat them to protect patients.
On November 1, 2018, the Department of Health and Human Services Office of Inspector General released a report outlining some deficiencies in the Food and Drug Administration’s (FDA) regulation and oversight of post market medical device cybersecurity. The FDA is responsible for ensuring the safety and effectiveness of medical devices. While I applaud the proactive steps the FDA took during the course of the drafting of the report to improve medical device cybersecurity, I am writing to ensure that this progress continues and that any remaining deficiencies are fixed.
The report highlighted some very important issues where the FDA has room for improvement. Specifically, the OIG stated that the FDA’s “plans and processes were deficient in addressing medical device cybersecurity compromises.” OIG found that there was a lack of adequate testing of FDA’s ability to respond to medical device cybersecurity events, and two of its district offices had no written standard operating procedures to address recalls of medical devices that were vulnerable to cyber-attacks. OIG recommended four action items, including the establishment of written procedures and practices for securely sharing sensitive information about cybersecurity events with stakeholders and entering into formal agreements with federal partners to support FDA’s cybersecurity mission. According to the report, the FDA disagreed with OIG’s conclusions that the lack of a formal agreement with federal partners impedes information flow about cybersecurity incidents and that it had failed to properly assess medical device cybersecurity at an enterprise or component level. Despite this, OIG maintained that “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.”
These revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit. For example, I recently wrote a letter to NIH raising concerns about foreign governments effectively installing foreign agents in U.S. based research institutions to steal intellectual property produced by taxpayer funded studies. Medical devices could be exploited by those same foreign actors to not only interfere with normal device operation, which could cause harm to patients, but also to steal personal medical information. I think you can agree, action must be taken to reduce and eliminate these threats.
Additionally, the FDA’s website states that every year, the FDA receives hundreds of thousands of reports through medical device reporting (MDR) pertaining to device-related malfunctions, serious injuries, and deaths. It’s important that Congress gain a better understanding of what the FDA does with MDR data.
Accordingly, please provide written responses to the following questions no later than November 23, 2018:
I anticipate that your written reply and most responsive documents will be unclassified. Please send all unclassified material directly to the Committee. In keeping with the requirements of Executive Order 13526, if any of the responsive documents do contain classified information, please segregate all unclassified material within the classified documents, provide all unclassified information directly to the Committee, and provide a classified addendum to the Office of Senate Security. Although the Committee complies with all laws and regulations governing the handling of classified information, it is not bound, absent its prior agreement, by any handling restrictions.
Thank you in advance for your prompt attention to these matters. Should you have any questions, please contact Josh Flynn-Brown of my Committee staff at (202) 224-5225.
-30-