Cyber

FDA cybersecurity agreement on medical devices needs updating, watchdog finds

GAO report says FDA's pact with CISA on cybersecurity protocols for medical devices is five years old and needs to be updated.

By Nihal Krishan

December 26, 2023

(Getty Images)

Medical devices like heart monitors, which are under the purview of the Food and Drug Administration, have cybersecurity vulnerabilities that aren’t frequently exploited but nevertheless pose risks to hospital networks and patients, according to a recent watchdog report.

The Government Accountability Office highlighted that the FDA’s medical device cybersecurity formal agreement is five years old and needs to be updated with the help of the Cybersecurity and Infrastructure Security Agency, a move that would improve agency coordination and clarify responsibilities.

“According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits,” the GAO report stated.

“Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”

The GAO report found that the FDA’s authority over medical device cybersecurity has increased in recent years. This is attributable to December 2022 legislation that mandated that medical device manufacturers submit to FDA their plans to identify and address cybersecurity vulnerabilities for any new medical device that were introduced to consumers starting in March 2023.

The GAO report also noted that FDA officials are currently implementing new cybersecurity authorities from past legislation and have not yet identified the need for any additional authority.

According to FDA guidance, if medical device manufacturers do not fix cyber vulnerabilities, the agency can find that the manufacturers have violated federal law and can be penalized through enforcement actions.

The GAO report recommended that the FDA and CISA update their medical device cyber agreement to reflect organizational and procedural changes that have occurred. Both agencies agreed with the recommendations.

FDA cybersecurity agreement on medical devices needs updating, watchdog finds

More Like This

Security flaws in IRS systems pose risk to financial statements, GAO says

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

GSA taps Login.gov deputy director to take top role next month

Top Stories

ACLU seeks AI records from NSA, Defense Department in new lawsuit

IRS touts Direct File usage, while mulling the future of the program

DHS launches safety and security board focused on AI and critical infrastructure

GSA welcomes nominations for advisory committee focused on federal transparency efforts

DOJ seeks public input on AI use in criminal justice system

DHS picks OMB official to lead its new AI Corps

More Scoops

Agencies must do a better job of sharing emerging tech regulatory challenges with Congress, watchdog report says

Only 3 agencies have hit deadline for cyber event logging standards, GAO finds

Watchdog calls for State Department to assess cybersecurity risks

Secret Service needs to make key improvements to zero trust effort says watchdog

Sen. Warner criticizes HHS and CISA for lack of coordination on cybersecurity, pushes for new cyber exec

Coast Guard needs to improve its cyber workforce says watchdog

Watchdog calls on HHS to improve feedback system for health care cyber breach reporting

Latest Podcasts

FDA cybersecurity agreement on medical devices needs updating, watchdog finds

CISA is building an automated ransomware warning program

GSA’s Login.gov platform gets a new director

DOD’s Ashley Elizabeth Evans on effectively implementing AI

Tech

Defense

Cyber

Acquisition