It's time FDA and CISA update their medical device agreement, says GAO
Photo: John Fedele/Blend Images/Getty Images
The Government Accountability Office has completed its review of cybersecurity in medical devices under the Consolidated Appropriations Act of 2023 and recommended the commissioner of food and drugs at the U.S. Food and Drug Administration and the director of the Cybersecurity and Infrastructure Security Agency update their agencies' medical device cybersecurity coordination agreement.
WHY IT MATTERS
GAO said in a summary released along with the December 21 report that it interviewed 25 non-federal entities representing healthcare providers, patients and medical device manufacturers to learn how they are challenged to access federal cybersecurity support for medical devices and then how agencies are addressing the challenges.
The federal review agency said that it also analyzed relevant legislation and guidance and interviewed officials from 11 agencies to compare federal coordination efforts against leading collaboration practices, as well as to understand where limitations exist in the regulating agency’s authority over medical-device cybersecurity.
Cybersecurity protocols in FDA's medical device premarket review submissions were not required until March 2023.
"As such, a device manufacturer who made a submission before March 2023 would not be subject to the new requirements, unless the manufacturer is submitting a new marketing application for changes to the device," the GAO said.
Although the Consolidated Appropriations Act enhances medical device cybersecurity, limitations in FDA’s authority over older legacy devices exist, according to the report.
FDA does not regulate health system use or maintenance of these devices.
For example, "an MRI machine may still be in use decades after it was approved for use by FDA, but its manufacturer may no longer provide updates that could address evolving cyber threats," the GAO noted.
It also said that the FDA is implementing new cybersecurity authorities by the more recently enacted legislation, but has not yet identified the need for any additional authority.
"They can take measures to help ensure device cybersecurity under existing authorities such as monitoring health sector and CISA alerts, as well as directing manufacturers to communicate vulnerabilities to user communities and to remediate the vulnerabilities," the GAO said.
According to FDA guidance, if manufacturers do not remediate vulnerabilities, the agency may find the device to violate federal law and be subject to enforcement actions, the report noted.
The GAO said the 11 agencies commented on a draft of the report prior to its publication and three agencies provided comments. The Department of Health and Human Services responded on behalf of the FDA, concurring with GAO and pledging to work with the Cybersecurity and Infrastructure Security Agency. The Department of Homeland Security responded in kind on behalf of CISA.
THE LARGER TREND
Last year, the FDA released draft medical-device cybersecurity guidance, while the Federal Bureau of Investigation called attention to the cybersecurity risks of outdated medical devices that, if exploited, could affect healthcare facility operations, patient safety, data confidentiality and data integrity.
Meanwhile, vulnerabilities in the software and firmware powering medical devices and other health IT applications keep increasing. Nearly four times as many are being weaponized compared to last year, Health Information Sharing and Analysis Center researchers said in August.
FDA's final guidance, released in September, noted that the Consolidated Appropriations Act adjusted section 524B(a) of the FD&C Act requires developers to submit information that ensures cyber devices meet cybersecurity requirements with their 510(k) premarket approval applications. Experts say such a software bill of materials will help federal resources and healthcare security teams better maintain medical-device cybersecurity over the long term.
The FDA is also developing guidance for artificial intelligence and machine learning-enabled devices requiring modification control plans in marketing submissions.
ON THE RECORD
"FDA developed a documented coordination agreement with CISA to support cybersecurity of medical devices; however, the agreement is outdated and does not reflect organizational and procedural changes that have occurred over the last five years," the GAO said in its report.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.