FDA cybersecurity agreement on medical devices needs updating, watchdog finds
Medical devices like heart monitors, which are under the purview of the Food and Drug Administration, have cybersecurity vulnerabilities that aren’t frequently exploited but nevertheless pose risks to hospital networks and patients, according to a recent watchdog report.
The Government Accountability Office highlighted that the FDA’s medical device cybersecurity formal agreement is five years old and needs to be updated with the help of the Cybersecurity and Infrastructure Security Agency, a move that would improve agency coordination and clarify responsibilities.
“According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits,” the GAO report stated.
“Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”
The GAO report found that the FDA’s authority over medical device cybersecurity has increased in recent years. This is attributable to December 2022 legislation that mandated that medical device manufacturers submit to FDA their plans to identify and address cybersecurity vulnerabilities for any new medical device that were introduced to consumers starting in March 2023.
The GAO report also noted that FDA officials are currently implementing new cybersecurity authorities from past legislation and have not yet identified the need for any additional authority.
According to FDA guidance, if medical device manufacturers do not fix cyber vulnerabilities, the agency can find that the manufacturers have violated federal law and can be penalized through enforcement actions.
The GAO report recommended that the FDA and CISA update their medical device cyber agreement to reflect organizational and procedural changes that have occurred. Both agencies agreed with the recommendations.