As part of ongoing efforts to strengthen cybersecurity in health care, the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security (DHS) have entered a partnership to help address cybersecurity in medical devices.
FDA Commissioner Dr. Scott Gottlieb, said, “As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients. The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns.”
The two authorities put ink to paper on a memorandum of agreement, between the FDA’s Centre for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications. The aim of the agreement is to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats.
Gottlieb added, “We also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. This agreement demonstrates our commitment to confronting cybersecurity risks and the unscrupulous cybercriminals who may seek to put patient lives at risk.”
The agencies have already worked together on many aspects of medical device cybersecurity, most notably around coordination of vulnerability disclosures. This helps medical device manufacturers receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products in a way that enables all parties to respond to potential threats in a timely way.
There have also been previous collaborations on planning, executing and conducting after-action reviews of DHS-led exercises that simulate real-world cybersecurity attacks and enable the government and stakeholders to practice and improve their responses to these threats.
Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS, added, “Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration.”
The goal of the agreement is to expand these types of collaboration by increasing the sharing of information between the two agencies to enhance mutual awareness of potential or known threats, thereby heightening coordination when vulnerabilities are identified. And to enhance shared technical capabilities, such as conducting collaborative assessments regarding the level of risk a potential vulnerability may pose to patient safety and coordinate testing of devices as warranted.
The agreement formalises a long-standing relationship between the FDA and DHS, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks. This kind of coordination and information sharing can help protect patients who rely on lifesaving medical devices.