FDA, DHS Partner to Speed Response To Medical Device Cybersecurity Threats

With the increased role of technology in health care and health care administration, concern over cybersecurity continues to increase. Cybersecurity sessions at health care conferences are often packed as industry leaders attempt to hammer out solutions that balance the need for data security and privacy of patient data.

As part of the Administration’s ongoing efforts to strengthen cybersecurity in health care, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) have agreed to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Both the FDA and DHS expect the collaboration to result in more timely and better responses to potential threats to patient safety.

Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center and interface with appropriate stakeholders, including consulting with the FDA for technical and clinical expertise regarding medical devices. The DHS’ National Cybersecurity and Communications Integration Center will continue to coordinate and enable information sharing between medical device manufacturers, researchers and the FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to the Department of Homeland Security. The FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise DHS regarding the risk to patient health and potential for harm posed by identified cybersecurity threats and vulnerabilities.

The agencies are no strangers with one another, having worked together on many aspects of medical device cybersecurity, most notably around coordination of vulnerability disclosures. The agencies have also collaborated on planning, executing and conducting after-action reviews of DHS-led exercises that simulate real-world cybersecurity attacks and enable the government and stakeholders to practice and improve their responses to these threats.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients. The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” says FDA Commissioner Scott Gottlieb, M.D., in a statement. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. That’s why this announcement is so important.”

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” says Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS, in a statement. “DHS has some of the top experts on control systems technology, and we look forward to continuing to leverage this expertise for the sake of improving the lives and safety of people across the country.