FDA and CISA need to update cyber agreement for medical devices, watchdog says

Although cyber vulnerabilities affecting medical devices are not often exploited by nefarious actors, the Government Accountability Office is still calling for the Cybersecurity and Infrastructure Security Agency and the Food and Drug Administration to update their 5-year-old agreement when it comes to providing cybersecurity guidance to device manufacturers. 

In a report released on Thursday, GAO said that the FDA and CISA — which have jointly “developed an agreement addressing most leading practices for collaboration” with industry partners — need to update their pact “to reflect organizational and procedural changes that have occurred since 2018.”

GAO said that “FDA and CISA have a documented collaboration agreement addressing most leading practices,” but warned that the current agreement between the agencies does not, in part, include three leading practices — “ensuring accountability, including relevant participants and developing and updating written guidance and agreements.”

“Until FDA and CISA collaborate to update their agreement to incorporate missing leading practices, the agency will have less assurance that it will be able to effectively coordinate and avoid fragmentation, duplication or overlap of work,” the report said. 

Citing previous studies conducted by the Department of Health and Human Services and the Healthcare and Public Health Sector Coordinating Council, GAO said that “medical devices have not typically been exploited to disrupt clinical operations in hospitals.” The watchdog still warned, however, that “they are a source of cybersecurity concern warranting significant attention.”

“As devices become more integrated with medicine and more digitally interconnected, securing medical devices against cyber threats is imperative,” the report said, noting that “network connections create more avenues for a bad actor, and threats can be spread to and from other devices and systems on the network.”

GAO made two recommendations — one to the FDA and one to CISA — that called for the agencies to “update their agreement to reflect organizational and procedural changes that have occurred.” Both agencies concurred with the watchdog’s recommendations.