FDA signs agreement with Homeland Security to improve medical device security

Posted on: Thursday, October 25, 2018 By: KorchekStaff

FDA signs agreement with Homeland Security to improve medical device security


The FDA and the Department of Homeland Security signed a memorandum of agreement as part of a joint effort to address threats to medical device security, particularly among internet-connected products.

Under the agreement, the FDA's Center for Devices and Radiological Health and Homeland Security's Office of Cybersecurity and Communications pledged to coordinate when responding to medical device security threats. The two agencies will share information and collaborate to address security vulnerabilities in medical devices.

The FDA and Homeland Security may also conduct collaborative assessments of medical device security issues to jointly determine the level of risk the vulnerability poses to patient safety.

The agreement "formalizes a long-standing relationship" between the two agencies, according to an FDA statementannouncing the partnership Oct. 16. The FDA and Homeland Security already coordinate to distribute information about potential cybersecurity vulnerabilities to relevant medical device manufacturers, often after an independent cybersecurity researcher identifies a risk in a commercial products.

"Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information," Christopher Krebs, undersecretary for the national protection and programs directorate at Homeland Security, said in the Oct. 16 statement.

In early October, FDA Commissioner Scott Gottlieb, MD, highlighted four steps the agency was taking to strengthen its cybersecurity program for medical devices, including establishing more avenues for devicemakers and government agencies — such as Homeland Security — to develop collaborative responses to cyberthreats.

At the time, Dr. Gottlieb emphasized that the FDA wasn't aware of any cases in which hackers had exploited a cybersecurity vulnerability in a medical device in use by a patient. However, cybersecurity researchers have warned about the potential of such attacks — in August, cybersecurity company McAfee said it found a way to modify patients' heart rate data displayed on a central monitoring station.

In his Oct. 16 statement, Dr. Gottlieb said internet-connected medical devices posed particular challenges for organizations working to ensure the safety of patients and their data.

"As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients,” Dr. Gottlieb said. "But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges."