Global Edition
Privacy & Security

It's time FDA and CISA update their medical device agreement, says GAO

The watchdog agency said that it found the existing coordination agreement does not reflect "organizational and procedural changes," including the FDA's authority to find that medical devices in use violate federal law.
By Andrea Fox
December 28, 2023
10:01 AM

 Photo: John Fedele/Blend Images/Getty Images

The Government Accountability Office has completed its review of cybersecurity in medical devices under the Consolidated Appropriations Act of 2023 and recommended the commissioner of food and drugs at the U.S. Food and Drug Administration and the director of the Cybersecurity and Infrastructure Security Agency update their agencies' medical device cybersecurity coordination agreement.

WHY IT MATTERS

GAO said in a summary released along with the December 21 report that it interviewed 25 non-federal entities representing healthcare providers, patients and medical device manufacturers to learn how they are challenged to access federal cybersecurity support for medical devices and then how agencies are addressing the challenges. 

The federal review agency said that it also analyzed relevant legislation and guidance and interviewed officials from 11 agencies to compare federal coordination efforts against leading collaboration practices, as well as to understand where limitations exist in the regulating agency’s authority over medical-device cybersecurity.

Cybersecurity protocols in FDA's medical device premarket review submissions were not required until March 2023.

"As such, a device manufacturer who made a submission before March 2023 would not be subject to the new requirements, unless the manufacturer is submitting a new marketing application for changes to the device," the GAO said.

Although the Consolidated Appropriations Act enhances medical device cybersecurity, limitations in FDA’s authority over older legacy devices exist, according to the report.

FDA does not regulate health system use or maintenance of these devices. 

For example, "an MRI machine may still be in use decades after it was approved for use by FDA, but its manufacturer may no longer provide updates that could address evolving cyber threats," the GAO noted.

It also said that the FDA is implementing new cybersecurity authorities by the more recently enacted legislation, but has not yet identified the need for any additional authority. 

"They can take measures to help ensure device cybersecurity under existing authorities such as monitoring health sector and CISA alerts, as well as directing manufacturers to communicate vulnerabilities to user communities and to remediate the vulnerabilities," the GAO said.

According to FDA guidance, if manufacturers do not remediate vulnerabilities, the agency may find the device to violate federal law and be subject to enforcement actions, the report noted.

The GAO said the 11 agencies commented on a draft of the report prior to its publication and three agencies provided comments. The Department of Health and Human Services responded on behalf of the FDA, concurring with GAO and pledging to work with the Cybersecurity and Infrastructure Security Agency. The Department of Homeland Security responded in kind on behalf of CISA. 

THE LARGER TREND

Last year, the FDA released draft medical-device cybersecurity guidance, while the Federal Bureau of Investigation called attention to the cybersecurity risks of outdated medical devices that, if exploited, could affect healthcare facility operations, patient safety, data confidentiality and data integrity.

Meanwhile, vulnerabilities in the software and firmware powering medical devices and other health IT applications keep increasing. Nearly four times as many are being weaponized compared to last year, Health Information Sharing and Analysis Center researchers said in August.

FDA's final guidance, released in September, noted that the Consolidated Appropriations Act adjusted section 524B(a) of the FD&C Act requires developers to submit information that ensures cyber devices meet cybersecurity requirements with their 510(k) premarket approval applications. Experts say such a software bill of materials will help federal resources and healthcare security teams better maintain medical-device cybersecurity over the long term.

The FDA is also developing guidance for artificial intelligence and machine learning-enabled devices requiring modification control plans in marketing submissions.

ON THE RECORD

"FDA developed a documented coordination agreement with CISA to support cybersecurity of medical devices; however, the agreement is outdated and does not reflect organizational and procedural changes that have occurred over the last five years," the GAO said in its report. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Government & Policy, Medical Devices, Privacy & Security

More regional news

Healthcare worker puts hand on shoulder of person in wheelchair

EHRA recommends simplifying standards to scale SDOH

By
Andrea Fox
May 16, 2024
athenahealth tradeshow booth

Athenahealth launches customizable specialty EHRs

By
Andrea Fox
May 16, 2024
Surgeon using medical computer with x-ray in background

Bipartisan Senators provide a roadmap for AI policy in the U.S. Senate

By
Jessica Hagen
May 16, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Healthcare worker puts hand on shoulder of person in wheelchair
EHRA recommends simplifying standards to scale SDOH

Most Read

Migrating to the cloud: An overview of process and strategy
China unveils ChatGPT-like medical chatbot service
Scammers take advantage of Change cyberattack
HIMSS24 Native American Health IT Symposium: 'Many nations, one record'
Change Healthcare roundup: UHG pays out $2B, while feds mull cyber compliance rules
Cisco completes acquisition of enterprise resilience giant Splunk for $28B

Research

White Papers

More Whitepapers

Interoperability
Compliance & Legal
Artificial Intelligence

Webinars

More Webinars

Privacy & Security
Women In Health IT
Artificial Intelligence

Video

Christopher Kunney_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How US provider organizations can build underserved populations' trust
Dr. Maulik Majmudar_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Clinicians learn in the hospital as care moves to the home
Marco Marchetti, head of the HTA operational unit at AGENAS
How Italy plans to use AI to improve primary care
Dr. John Blair at MedAllies_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
National health information exchange: Where do QHINs fit in?

More Stories

Lee Kim at HIMSS_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Evolving threat landscape demands flexible security strategies
Brain graphic filled in with circuit board abstract
Vendor Notebook: AI tackles patient deterioration, obesity and stroke
Dr. Gauri Puri of WNS on digital transformation
A guide to healthcare digital transformation and the digital-first model
Sarah Wamala Andersson, professor of health and welfare technology at Sweden's Mälardalen University
Empowering European citizens to manage their health digitally
Kathleen McGrow at Microsoft_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Microsoft's CNIO talks AI literacy for nurses
Khue Tran at Azalea Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Rural chronic disease patients: Improving care access
Oracle Health booth at HIMSS23
Senators call for new VA oversight provisions in Oracle contract review
Dr. Mark Crockett of TeleDaaS on teleradiology
How teleradiology can spur innovative new treatments while helping with the staffing crisis