FDA signs agreement with Homeland Security to improve medical device security

Jessica Kim Cohen - Print  | 

The FDA and the Department of Homeland Security signed a memorandum of agreement as part of a joint effort to address threats to medical device security, particularly among internet-connected products.

Under the agreement, the FDA's Center for Devices and Radiological Health and Homeland Security's Office of Cybersecurity and Communications pledged to collaborate when responding to medical device security threats. This may include working together to assess medical device security issues, in an effort to jointly determine the level of risk a vulnerability poses to patient safety.

The agreement "formalizes a long-standing relationship" between the two agencies, according to an FDA statement announcing the partnership Oct. 16. The FDA and Homeland Security already coordinate to distribute information about potential medical device vulnerabilities to relevant manufacturers, often after an independent cybersecurity researcher identifies a risk in a commercial product.

"Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information," Christopher Krebs, undersecretary for the national protection and programs directorate at Homeland Security, said in the Oct. 16 statement.

In early October, FDA Commissioner Scott Gottlieb, MD, highlighted four steps the agency is taking to strengthen its cybersecurity program for medical devices, including establishing more avenues for devicemakers and government agencies — such as Homeland Security — to develop collaborative responses to cyberthreats.

At the time, Dr. Gottlieb emphasized that the FDA wasn't aware of any cases in which hackers had exploited a cybersecurity vulnerability in a medical device in use by a patient. However, cybersecurity researchers have warned about the potential of such attacks — in August, cybersecurity company McAfee said it found a way hackers could modify how patients' heart rate data is displayed on a central monitoring station.

In his Oct. 16 statement, Dr. Gottlieb said internet-connected medical devices posed particular challenges for organizations working to ensure the safety of patients and their data.

"As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients," Dr. Gottlieb said. "But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges."

More articles on cybersecurity:
HHS updates security risk assessment tool
HITRUST rolls out program to help startups with privacy, security
It takes healthcare organizations 55 days to detect a breach, survey finds

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.