The Food and Drug Administration's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices

View Report

Date Issued

Monday, October 29, 2018

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Food and Drug Administration

Report Number

A-18-16-30530

Report Description

We conducted this audit because OIG had identified ensuring the safety and effectiveness of medical devices and fostering a culture of cybersecurity as top management challenges for HHS. We also considered public and Congressional interest in medical device cybersecurity risks to patients and the Internet of Things. The Food and Drug Administration (FDA) is the HHS operating division responsible for assuring that legally marketed medical devices are safe and effective.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Additional Details

https://oig.hhs.gov/oas/reports/region18/181630530.asp

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
265897	No	$0	$0
We recommend that FDA establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know.”