Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Threat Landscape
Vulnerabilities

GAO recommends FDA, CISA update agreement to address medical device cybersecurity challenges

January 04, 2024
GAO recommends FDA, CISA update agreement to address medical device cybersecurity challenges

The U.S. Government Accountability Office (GAO) has recommended that the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) update their agreement to align with recent organizational and procedural changes when it comes to addressing medical device cybersecurity. While the FDA and CISA have already developed an agreement that covers most collaboration best practices, it is important to note that this agreement, which is five years old, does not encompass all of these practices. Therefore, it is necessary to update the agreement to reflect the changes that have taken place since 2018. Both agencies have agreed with these recommendations.

The study was executed as cyber threats that target medical devices could delay critical patient care, reveal sensitive patient data, shut down healthcare operations, and necessitate costly recovery efforts. FDA is responsible for ensuring that medical devices sold in the U.S. provide reasonable assurance of safety and effectiveness.

Jennifer R. Franks, director of the Center for Enhanced Cybersecurity- Information Technology and Cybersecurity at GAO wrote in the watchdog’s latest report that the Consolidated Appropriations Act, 2023, includes a provision for the agency to review medical device cybersecurity. The GAO report was addressed to Bernard Sanders, chair of the Senate Committee on Health, Education, Labor and Pensions; Bill Cassidy, ranking member on the Committee on Health, Education, Labor and Pensions; Cathy McMorris Rodgers, chair of the House Energy and Commerce Committee; and Frank Pallone, junior ranking member of the Committee on Energy and Commerce House of Representatives.

The report addresses the extent to which relevant non-federal entities face challenges in accessing federal support on medical device cybersecurity, federal agencies have addressed identified challenges, key agencies are coordinating on medical device cybersecurity, and limitations exist in agencies’ authority over medical device cybersecurity. 

GAO cited a study by the Department of Health and Human Services (HHS) and the Healthcare and Public Health Sector Coordinating Council (HSCC) that identified that medical devices have not typically been exploited to disrupt clinical operations in hospitals. However, the study states that they are a source of cybersecurity concerns warranting significant attention. Specifically, device vulnerabilities can allow advanced forms of cyber incidents to spread across organizations, and unsupported, legacy medical devices may be considered more vulnerable to cyber incidents.

To address its first objective, GAO selected a set of non-federal entities by reviewing a list of members in the HSCC and focusing on large associations of medical device manufacturers, health systems, and healthcare providers whose missions support medical device cybersecurity. It sought the input of these associations regarding additional entities that had a role or insights on the topic and contacted the federal agencies, as well as GAO subject matter experts, regarding the selection of patient advocacy organizations. 

This resulted in a list of 25 non-federal entities composed of a cross-section of organizations and experts representing medical device manufacturers, health systems, healthcare providers, and patients. GAO interviewed representatives from these 25 entities and performed an analysis of the interview results to develop a list of challenges.

To address its second and third objectives, GAO selected a set of agencies with responsibility for medical device cybersecurity. The agency did so based on a review of previous GAO work and public reports by federal agencies and relied on suggestions from officials with the FDA and CISA. 

Specifically, GAO selected the National Institute of Standards and Technology (NIST) at the Department of Commerce, Defense Health Agency at the Department of Defense, Administration for Strategic Preparedness and Response at the HHS, Centers for Medicare and Medicaid Services at the HHS, FDA at the HHS, Indian Health Service at the HHS, Office for Civil Rights at the HHS, Office of the National Coordinator for Health Information Technology at the HHS, CISA at the DHS, FBI at the DoJ, and Veterans Health Administration at the Department of Veterans Affairs.

“We reviewed agency documentation on medical device cybersecurity, as well as any memorandums of agreement or understanding that coordinating agencies had developed,” GAO said in its report. “We assessed agency documentation against eight leading collaboration practices and fragmentation, overlap, and duplication from prior GAO work. We also interviewed agency officials with responsibility for medical device cybersecurity and assessed responses against the leading practices. To address our fourth objective, we evaluated relevant sections of legislation, regulations, and guidance to understand the scope of agencies’ authority over the cybersecurity of medical devices.”

To address its fourth objective, GAO evaluated relevant sections of legislation, regulations, and guidance to understand the scope of agencies’ authority over the cybersecurity of medical devices. Specifically, the agency evaluated relevant portions of the Federal Food, Drug, and Cosmetic Act, Consolidated Appropriations Act, 2023, Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Security Rule, and federal agency guidance about medical device cybersecurity, including FDA’s draft premarket cybersecurity guidance.

Where agencies identified actions to mitigate risk associated with potential limitations, GAO reviewed documentation associated with FDA’s postmarket guidance and coordination with other agencies. The watchdog also interviewed agency officials responsible for medical device cybersecurity. 

GAO identified that as the lead agency responsible for the cybersecurity of medical devices, the FDA facilitates collaboration with other federal agencies. FDA developed a documented coordination agreement with CISA to support the cybersecurity of medical devices; however, the agreement is outdated and does not reflect organizational and procedural changes that have occurred over the last five years. By updating its written agreement with CISA, the FDA can enhance coordination and help ensure clarity of current roles in addressing medical device cybersecurity. Further, although limitations in authority exist for older devices, the FDA has taken actions to mitigate the risks associated with these limitations. 

Based on its findings, GAO made a recommendation to the FDA and the CISA. It suggested that the Commissioner of Food and Drugs should work with the CISA to update the agencies’ agreement to reflect organizational and procedural changes that have occurred. Additionally, the CISA director should work with the FDA to update the agencies’ agreement to reflect organizational and procedural changes that have occurred. 

Last month, GAO identified that federal agencies have made some progress in implementing incident response requirements, but there is a need for full implementation. Out of the 23 civilian Chief Financial Officers (CFO) Act of 1990 agencies, 20 agencies have not met requirements for investigation and remediation (event logging) capabilities. Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation