- As evidenced by the recent announcement of its medical device and cybersecurity workshop on October 21 and 22, 2014, Food and Drug Administration (FDA) is taking medical device cybersecurity seriously. This stance is further supported by the FDA’s partnership with the National Health Information Sharing and Analysis Center (NH-ISAC) to identify, mitigate, and prevent medical device cybersecurity threats.
The FDA, which has has medical device regulation authority under the “Federal Food, Drug, and Cosmetic Act,” will work with the NH-ISAC to foster collaboration among healthcare providers and security experts. Deb Kobza, Executive Director of NH-ISAC, told HealthITSecurity.com last year that the organization’s goal is to make cybersecurity intelligence information actionable for participants. With offerings such as the First Responder Program and the National Healthcare and Public Health Cyber Response System, as well as a relationship with the Department of Health and Human Services (HHS), the NH-ISAC’s partnership with the FDA can be valuable to the healthcare industry.
The memorandum of understanding between the NH-ISAC and FDA had these goals in mind:
1. Create an environment that fosters stakeholder collaboration and communication, and encourages the sharing of information about cybersecurity vulnerabilities that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure. Ultimately, exploited vulnerabilities may have downstream public health and patient safety consequences.
2. Develop awareness of the Voluntary Cybersecurity Framework (established by the National Institute for Standards and Technology, herein referred to as NIST), and enable NH-ISAC members within the HPH sector to successfully adapt and operationalize the framework for their organizations and products.
3. Encourage stakeholders within the HPH Sector, to develop innovative strategies to assess and mitigate cybersecurity vulnerabilities that affect their products.
4. Build a foundation of trust within the HPH community (including but not limited to medical device manufacturers, end user facilities, providers and healthcare organizations) so that NH-ISAC members can directly benefit from the sharing of cybersecurity vulnerability- and/or threat information identified within the HPH Sector, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health. . .
And as part of the agreement, the FDA will share medical device cybersecurity threats and vulnerabilities with the NH-ISAC, which will return the favor and provide the same relevant information to the FDA. The agreement will bolster the FDA and NH-ISAC’s efforts toward developing a shared risk assessment framework that would help the healthcare industry better identify cybersecurity vulnerabilities.
The memorandum of understanding will last five years, unless terminated by one of the parties. Read the agreement here.