GAO Urges FDA, CISA to Revamp Medical Device Cybersecurity Agreement

December 28, 2023 - The US Government Accountability Office (GAO) released a report on medical device cybersecurity to address limitations in federal agencies’ authority, explore challenges in accessing federal support, and provide recommendations to the government on improving coordination in this space.

As a result of its research, GAO recommended that the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA), the two main authorities over medical device security, revamp their 5-year-old agreement in order to reflect organizational changes and improve coordination.

Medical device cybersecurity vulnerabilities have been a concern in the industry for years, even though HHS data shows that these vulnerabilities have not been commonly exploited by threat actors. Even so, HHS maintains that these vulnerabilities remain a weak link in healthcare cybersecurity and could pose threats to patient safety, particularly if threat actors can gain access and compromise other devices on the victim’s network.

CISA and the FDA tackle this problem collaboratively through a 2018 agreement that defines their shared goals and addresses bridging organizational gaps through leading practices, GAO acknowledged. However, this agreement is now outdated and is missing several leading practices that GAO identified as crucial to its success – ensuring accountability, including relevant participants, and developing and updating written guidance.

“Until FDA and CISA collaborate to update their agreement to incorporate missing leading practices, the agency will have less assurance that it will be able to effectively coordinate and avoid fragmentation, duplication, or overlap of work,” GAO suggested.

Since the agreement was first formed in 2018, each agency has undergone procedural and organizational changes. For example, when the agreement was first signed, CISA was known as the National Protection and Programs Directorate at the Department of Homeland Security. In November 2018, the directorate became CISA, but the document still refers to it by its old name.

What’s more, in 2022, the FDA’s authority over medical device cybersecurity increased significantly when new legislation enabled the FDA to refuse medical device submissions for cybersecurity reasons. Device manufacturers must now submit information to the FDA on their plans to monitor and address cybersecurity vulnerabilities. With these changes in mind, GAO recommended that the two agencies revisit their agreement.

In addition, GAO reasoned that limitations in the FDA’s authority persist, specifically when it comes to its authority over legacy devices.

“For example, once a hospital purchases a device and puts it into the environment, there may be aspects for which FDA has authority, but generally FDA does not regulate healthcare organization usage or maintenance of these devices,” GAO stated. “For instance, an MRI machine may still be in use decades after it was approved for use by FDA, but its manufacturer may no longer provide updates that could address evolving cyber threats.”

In addition to acknowledging some room for growth in terms of the FDA’s authority, GAO emphasized the importance of healthcare organizations taking actions to mitigate risk themselves. For example, segmenting legacy devices on a hospital’s network or increasing vendor support can go a long way in improving medical device security at the hospital level.

Both the FDA and CISA concurred with GAO’s recommendation and agreed to continue to work with one another to deliver resources to the sector.