FDA, DHS Strengthen Collaboration Against Medical Device Cybersecurity Threats
The U.S. Food and Drug Administration (FDA) and Department of Homeland Security (DHS) have announced a strengthened partnership to buff up medical device cybersecurity, increasing communication and coordination between the two agencies.
“The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” FDA Commissioner Scott Gottlieb said in a press release. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges.”
This new agreement is specifically between the Center for Devices and Radiological Health within the FDA and the Office of Cybersecurity and Communications within the DHS. This will implement a framework for increased information sharing and coordination regarding potential or confirmed medical device cybersecurity threats. A tighter collaboration means better and more timely responses, ultimately protecting patients
“DHS has some of the top experts on control systems technology,” Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS said in the same press release. “DHS has enjoyed a great working relationship with the FDA for several years and look forward to this agreement making that working relationship even stronger and more effective.”
Current medical device cybersecurity
This agreement formalizes a long-standing partnership between the FDA and DHS. The DHS will continue to be the main medical device vulnerability coordination center, consulting with the FDA for clinical and technical expertise.
“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber vulnerabilities are identified,” Gottlieb added.
Previously, the agencies have focused on coordinating vulnerability disclosures, which helps medical device manufacturers get information about vulnerabilities in their products, so they can quickly respond to potential threats.
Under this new agreement, the DHS will continue to facilitate information sharing between medical device manufacturers, cybersecurity researchers, and the FDA. The FDA will also continue to perform regular and emergency coordination calls with DHS to advise them on potential risks and harm to patients posed by cybersecurity threats.
The DHS has also led cybersecurity attack simulations, providing practice to improve responses to those threats and reviewing their responses to learn from their actions.
Other actions against medical device threats
The FDA has recently implemented or strengthened multiple programs to enhance patient safety by mitigating medical device cybersecurity risk, including the agreement with the DHS.
In April, the FDA released an action plan for how the agency would continue to improve their processes to ensure medical device safety, including reinforcing medical device cybersecurity. The agency also proposed to create a Center of Excellence for Digital Health to ‘establish more efficient regulatory paradigms and support a cybersecurity unit to complement advances in software-based devices.’
A formal agreement between the FDA and multiple stakeholders, including government agencies and academic institutions, to bring together groups of experts to analyze and disseminate important cyber threat information was announced earlier this month. The transparency of manufacturers sharing information with the experts should allow for manufacturers to address potential issues earlier, resulting in better-protected products for patients.
In 2014, the FDA published premarket guidelines for medical device manufacturers to consider when designing and developing devices regarding their cybersecurity. Earlier this month, the FDA provided significant updates to include the most recent cybersecurity information and recommendations, such as preparing users for threats by providing a list of potentially vulnerable software and hardware device components. The FDA also published postmarket guidelines in 2016, detailing how manufacturers can quickly respond to cybersecurity threats once the device is in use.
The MITRE Corporation, with support from the FDA, released a playbook earlier this month for healthcare delivery organizations that details readiness activities against medical device cybersecurity incidents. Activities include training exercises and creating a medical device inventory. The FDA also has their own internal playbook outlining similar activities to help the agency respond to threats quickly and efficiently.