FDA signs agreement with Homeland Security to improve medical device security

The FDA and the Department of Homeland Security signed a memorandum of agreement as part of a joint effort to address threats to medical device security, particularly among internet-connected products.

Under the agreement, the FDA's Center for Devices and Radiological Health and Homeland Security's Office of Cybersecurity and Communications pledged to collaborate when responding to medical device security threats. This may include working together to assess medical device security issues, in an effort to jointly determine the level of risk a vulnerability poses to patient safety.

The agreement "formalizes a long-standing relationship" between the two agencies, according to an FDA statement announcing the partnership Oct. 16. The FDA and Homeland Security already coordinate to distribute information about potential medical device vulnerabilities to relevant manufacturers, often after an independent cybersecurity researcher identifies a risk in a commercial product.

"Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information," Christopher Krebs, undersecretary for the national protection and programs directorate at Homeland Security, said in the Oct. 16 statement.

In early October, FDA Commissioner Scott Gottlieb, MD, highlighted four steps the agency is taking to strengthen its cybersecurity program for medical devices, including establishing more avenues for devicemakers and government agencies — such as Homeland Security — to develop collaborative responses to cyberthreats.

At the time, Dr. Gottlieb emphasized that the FDA wasn't aware of any cases in which hackers had exploited a cybersecurity vulnerability in a medical device in use by a patient. However, cybersecurity researchers have warned about the potential of such attacks — in August, cybersecurity company McAfee said it found a way hackers could modify how patients' heart rate data is displayed on a central monitoring station.

In his Oct. 16 statement, Dr. Gottlieb said internet-connected medical devices posed particular challenges for organizations working to ensure the safety of patients and their data.

"As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients," Dr. Gottlieb said. "But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges."

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars