As part of the Administration’s ongoing efforts to strengthen cybersecurity in health care, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.
The agreement, between the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications, is meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats. Such collaboration can lead to more timely and better responses to potential threats to patient safety.
The two agencies have already worked together on many aspects of medical device cybersecurity, most notably around coordination of vulnerability disclosures. This helps medical device manufacturers receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products in a way that enables all parties to respond to potential threats in a timely way.
The agencies have also collaborated on planning, executing and conducting after-action reviews of DHS-led exercises that simulate real-world cybersecurity attacks and enable the government and stakeholders to practice and improve their responses to these threats. The goal of the agreement is to expand these types of collaboration by increasing the sharing of information between the two agencies to enhance mutual awareness of potential or known threats, thereby heightening coordination when vulnerabilities are identified. And to enhance shared technical capabilities, such as conducting collaborative assessments regarding the level of risk a potential vulnerability may pose to patient safety and coordinate testing of devices as warranted.
Under the agreement, DHS will continue to serve as the central medical device vulnerability coordination center and interface with appropriate stakeholders, including consulting with the FDA for technical and clinical expertise regarding medical devices. The DHS’ National Cybersecurity and Communications Integration Center will continue to coordinate and enable information sharing between medical device manufacturers, researchers and the FDA, particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to the Department of Homeland Security. The FDA will continue to engage in regular, ad hoc, and emergency coordination calls with DHS and advise DHS regarding the risk to patient health and potential for harm posed by identified cybersecurity threats and vulnerabilities.
The agreement formalizes a long-standing relationship between the FDA and DHS. Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks. This kind of coordination and information sharing can ultimately help protect patients who rely on lifesaving medical devices.
The agency is committed to enhancing patient safety by mitigating cybersecurity risk throughout the life cycle of medical devices, which includes monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they are on the market.
The DHS mission includes preventing terrorism and enhancing security; managing U.S. borders; administering immigration laws; securing cyberspace; and ensuring disaster resilience. Information sharing is a critical part of the DHS mission to create shared situational awareness of malicious cyber activity. DHS works to prevent or minimize disruptions to critical information infrastructure in order to protect the public, the economy, and government services.
