GAO Urge FDA, CISA to Update Medical Device Cybersecurity Guidance Agreement

Medical devices, like heart monitors, pose a threat to cybersecurity due to their connection to a hospital’s network. While such cybersecurity vulnerabilities aren’t commonly exploited, they still carry risk to hospital networks and patients, according to the United States Government Accountability Office (GAO).

Recently, GAO published a study examining cyber threats that target medical devices and how FDA, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), work to enforce security guidance for device manufacturers.

The Consolidated Appropriations Act, 2023, included a provision allowing for GAO to review cybersecurity in medical devices, leading the office to conduct the study, which reported on the extent at which “relevant non-federal entities are facing challenges in accessing federal support on medical device cybersecurity, federal agencies have addressed identified challenges, key agencies are coordinating on medical device cybersecurity, and limitations exist in agencies’ authority over medical device cybersecurity,” according to the report.

To understand these potential issues, GAO identified federal agencies with roles in medical device cybersecurity, and selected 25 non-federal entities representing healthcare providers, patients, and medical device manufacturers. The office then interviewed these entities on challenges in accessing federal cybersecurity support. Additionally, GAO assessed “agency documentation and compared coordination efforts against leading collaboration practices; reviewed relevant legislation and guidance; and interviewed agency officials.

After conducting these steps, GAO found that non-federal entities described challenges with a lack of awareness of resources or contacts, and difficulties understanding vulnerability communications from the federal government in relation to cybersecurity. FDA and CISA, according to the report, are taking steps that, if implemented effectively, can meet the challenges the entities described.

FDA and CISA are managing medical device cybersecurity through active coordination, the office noted. Specifically, the agencies developed an agreement addressing most leading practices for collaboration in 2018. However, as the agreement is five years old, it needs to be updated to reflect organizational and procedural changes that have happened since 2018.

One such change includes FDA’s increased authority over medical device cybersecurity. Specifically, legislation implemented in December 2022 now requires medical device manufacturers to submit their plans to monitor, identify, and address cybersecurity vulnerabilities for any new device introduced to consumers starting March 2023.

Based on GAO’s study, the office is now recommending FDA and CISA update their agreement to reflect changes that have occurred since 2018, clarify roles, and improve agency coordination. Both agencies, according to the report, have concurred with the recommendations.