FDA-DHS Collaborate to Medical Device Cybersecurity

A memorandum of agreement has been announced by the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) which will see a new framework adopted that will increase cooperation and enhance coordination of their undertakings to boost medical device security.

The cybersecurity flaws in healthcare devices have become a growing concern, largely due to the increased use of connected medical devices by healthcare providers and the frequency that exploitable flaws have been uncovered. Further, exploitation of these flaws not only provides access to sensitive data and healthcare networks, but hackers could also change the functionality of the devices to harm patients.

The FDA and DHS are well aware of the threats and both agencies have been working toward reinforcing cybersecurity of medical devices. The FDA has developed a solid program to deal with medical device cybersecurity issues and works with manufacturers of the devices to help them improve cybersecurity. However, the problem of medical device cybersecurity cannot be solved by a single government agency working in isolation.

Under the new agreement, the two agencies will share information to improve understanding of new threats to medical device security. Whenever vulnerabilities are identified, the two departments will work closely together to examine the risk to patient safety brought about by the vulnerabilities. The agencies will likewise coordinate assessments of the vulnerabilities.

With the two agencies working together, duplication of activities will largely be avoided and it will improve efficiency. DHS will continue to be the central coordination center via the National Cybersecurity and Communications Integration Center (NCCIC) and will retain responsibility for coordinating information sharing among the FDA, medical device companies and security researchers.

The FDA’s Center for Devices and Radiological Health possesses substantial technical and clinical expertise at evaluating the risks medical device vulnerabilities present to patient health and the possibilities that patients will be harmed. The FDA is therefore in an ideal position to advise DHS on the potential impact of vulnerabilities and will advise DHS through  regular, ad hoc, and emergency calls.