GAO: FDA Should Update Medical Device Cybersecurity Agreement
The Government Accountability Office (GAO) has recommended the Food and Drug Administration (FDA) update its formal medical device agreement with the Cybersecurity and Infrastructure Security Agency (CISA), as the agreement is now five years old.
The Consolidated Appropriations Act of 2023 includes a provision for GAO to review cybersecurity in medical devices and the FDA has primary responsibility for the cybersecurity of medical devices such as heart monitors. The FDA collaborates with CISA on security guidance for medical device manufacturers, public alerts about current vulnerabilities, and more, and facilitates collaboration with other federal agencies.
While data from the Department of Health and Human Services do not show that vulnerabilities in medical devices are commonly exploited by malicious cyber actors, vulnerabilities in medical devices are a cause of concern as they could be exploited to cause harm to patients or to gain access to the internal networks to which the devices connect. Unauthorized access could result in delays to critical patient care, access being gained to sensitive patient data, and healthcare operations being shut down. Because of these risks, the HHS considers medical device cybersecurity to warrant significant attention.
GAO identified federal agencies with roles in medical device cybersecurity and selected 25 non-federal entities representing healthcare providers, patients, and medical device manufacturers, and conducted interviews to find out about the challenges in accessing federal cybersecurity support. GAO also assessed agency documentation and compared coordination efforts against leading collaboration practices, reviewed relevant legislation and guidance, and interviewed agency officials. GAO’s interviews identified several challenges that entities face, such as a lack of awareness of resources or contacts and difficulties understanding vulnerability communications from the federal government; however, GAO found that the steps that the FDA and CISA are taking will meet those challenges if they are implemented effectively.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The GAO study found that the FDA’s authority over medical devices has increased in recent years following December 2022 legislation mandating that medical device manufacturers submit plans to the FDA for addressing the cybersecurity of their medical devices in premarket submissions. The new legislation took effect in March 2023. The FDA has an agreement with CISA to support medical device cybersecurity; however, the agreement does not reflect organizational and procedural changes that have occurred over the last 5 years. GAO therefore recommended that the FDA and CISA work together and update the FDA agreement to reflect those changes, as doing so will enhance coordination and help ensure clarity of current roles in addressing medical device cybersecurity. Both agencies agreed with the recommendations.