On November 2, 2015, the HHS Office of Inspector General (OIG) published its FY 2016 Work Plan, which summarizes new and ongoing activities that OIG plans to pursue with respect to HHS programs and operations during the fiscal year.

The FY 2016 Work Plan includes a new review initiative to examine “whether FDA’s oversight of hospitals’ networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety.”  The Work Plan notes that networked medical devices, such as radiology systems and medication dispensing systems that are integrated with electronic medical records and the larger health network, “pose a growing threat to the security and privacy of personal health information.”  OIG’s Work Plans for FY 2014 and FY 2015 both included a similar review focused on oversight by CMS of hospitals’ security controls over networked medical devices.  This review activity has been removed in the FY 2016 Work Plan.

As we have discussed here and on Covington’s InsideMedicalDevices blog, medical device cybersecurity is an area of increasing focus for FDA.  For example, last month FDA issued a final guidance on addressing cybersecurity issues for medical devices.  Also last month, FDA’s Center for Devices and Radiological Health released its NY 2016 Regulatory Science Priorities, which included researching ways to enhance performance of digital health and medical device cybersecurity.