The Government Accountability Office (GAO) is urging the U.S. Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) to update their five-year-old arrangement to cooperate on improving medical device cybersecurity.
In a report released today, GAO recommended updating the existing agreement between the two agencies “to improve agency coordination and clarify roles” between them.
Both agencies concurred with GAO’s recommendations that they update their existing agreement “to reflect organizational and procedural changes that have occurred” since the current arrangement was put in place in 2018.
Under the existing arrangement, FDA has primary responsibility for medical device cybersecurity, and collaborates with CISA on security guidance for manufacturers and distributing public alerts about vulnerabilities, among other functions.
GAO’s recommendation is based on its findings after a review with 25 non-Federal entities representing health care providers, patients, and device makers who “identified challenges in accessing federal support to address cybersecurity vulnerabilities.”
Those challenges, the watchdog agency said, include “a lack of awareness of resources or contacts” and “difficulties understanding vulnerability communications from the federal government.”
“Cybersecurity vulnerabilities that threaten medical devices aren’t commonly exploited but still pose risks to hospital networks—and patients,” GAO said. At the same time, the watchdog agency cited Department of Health and Human Services findings that medical devices “are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”
GAO also noted that the FDA is “implementing new cybersecurity authorities” regarding medical devices but has “not yet identified the need for any additional authority.”
