FDA, DHS Partner to Strengthen Medical Device Cybersecurity Program

Agreement Meant to Encourage Cooperation Around Medical Device Cybersecurity Vulnerabilities, Threats

Agreement Meant to Encourage Cooperation Around Medical Device Cybersecurity Vulnerabilities, Threats

Hoping to stay ahead of the curve, the U.S. Food and Drug Administration (FDA) and U.S. Department of Homeland Security (DHS) just announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients,” said FDA Commissioner Scott Gottlieb, MD. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

The strengthened partnership with DHS “will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the healthcare sector in being well positioned to proactively respond when cyber vulnerabilities are identified,” Gottlieb said.

The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’s Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety, FDA and DHS said when announcing the initiative last week.

The two agencies have already worked together on many aspects of medical device cybersecurity, most notably around coordination of vulnerability disclosures, in part to help medical device manufacturers receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products in a way that enables all parties to respond to potential threats in a timely way, FDA and DHS said.

Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center and interface with appropriate stakeholders, including consulting with the FDA for technical and clinical expertise regarding medical devices. The DHS’s National Cybersecurity and Communications Integration Center will continue to coordinate and enable information sharing between medical device manufacturers, researchers, and the FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to DHS. The FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise DHS regarding the risk to patient health and potential for harm posed by identified cybersecurity threats and vulnerabilities.

Author: Michael Causey