FDA, DHS partner on medical device cyber-security

The Food and Drug Administration and Department of Homeland Security have announced a new framework for greater coordination and cooperation when addressing cyber-security in medical devices.

The two agencies have already worked together on many aspects of medical device cyber-security, most notably around coordination of vulnerability disclosures. The new memorandum of agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is intended to encourage even greater coordination and information sharing regarding medical device cyber-security vulnerabilities and threats.

The agencies have—and will continue to—collaborate on “planning, executing and conducting after-action reviews of DHS-led exercises that simulate real-world cyber-security attacks and enable the government and stakeholders to practice and improve their responses to these threats,” the announcement says.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients."
Scott Gottlieb, FDA commissioner

Goals of the enhanced partnership include expanding information sharing between the two agencies, enhancing mutual awareness of potential and known threats, heightening coordination when vulnerabilities are identified, and building upon shared technical capabilities. That relationship includes conducting collaborative assessments regarding the level of risk a potential vulnerability may pose to patient safety and coordinate testing of devices as warranted.

Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center and reach out to appropriate stakeholders, including consultations with the FDA for technical and clinical expertise regarding medical devices.

DHS’ National Cybersecurity and Communications Integration Center will continue to coordinate and enable information sharing between medical device manufacturers, researchers and the FDA, particularly in the event of cyber-security vulnerabilities in medical devices that are identified to the Department of Homeland Security.

The FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise that agency regarding the risk to patient health and potential for harm posed by identified cyber-security threats and vulnerabilities.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients,” FDA commissioner Scott Gottlieb said in a statement announcing the new memorandum of agreement. “We know that securing medical devices from cyber-security threats cannot be achieved by one government agency alone. Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cyber-security vulnerabilities and assist the health care sector in being well positioned to proactively respond when cyber-vulnerabilities are identified.”

“This agreement demonstrates our commitment to confronting cyber-security risks and the unscrupulous cyber-criminals who may seek to put patient lives at risk,” he added.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority,” said Christopher Krebs, undersecretary for the national protection and programs directorate at DHS.