It's time FDA and CISA update their medical device agreement, says GAO

The Government Accountability Office has completed its investigation into medical device cybersecurity under the Consolidated Appropriations Act of 2023 and recommended that the Commissioner of Food and Drug Administration at the U.S. Food and Drug Administration and the Director of the Cybersecurity and Infrastructure Security Agency update their agencies' medical records in Device Cybersecurity Coordination Agreement.

WHY IT MATTERS

GAO said in a summary released with the Dec. 21 report that it interviewed 25 non-federal entities representing health care providers, patients and medical device manufacturers to learn how they are challenged in accessing federal cybersecurity support for medical equipment and then how agencies are addressing the issues. challenges.

The federal assessment agency said it also analyzed relevant legislation and guidance and interviewed officials from eleven agencies to compare federal coordination efforts with leading collaborative practices and to understand where limitations exist in the regulatory agency's authority over the cybersecurity of medical equipment.

Cybersecurity protocols in the FDA's premarket review submissions of medical devices were not required until March 2023.

“As such, a device manufacturer that filed before March 2023 would not be subject to the new requirements unless the manufacturer submits a new marketing application for changes to the device,” the GAO said.

Although the Consolidated Appropriations Act improves the cybersecurity of medical devices, limitations exist in the FDA's authority over older legacy devices, according to the report.

The FDA does not regulate the use or maintenance of these devices in healthcare.

“For example, an MRI machine may still be in use decades after it is approved for use by the FDA, but the manufacturer may no longer provide updates that can address evolving cyber threats,” the GAO said.

It also said the FDA is implementing new cybersecurity authorities through recently passed legislation, but has not yet identified a need for additional authority.

“They can take steps to help ensure device cybersecurity under existing authorities, such as monitoring health sector and CISA alerts, and directing manufacturers to communicate vulnerabilities to user communities and remediate the vulnerabilities,” the GAO said .

Under FDA guidelines, if manufacturers do not fix the vulnerabilities, the agency may find the device violates federal law and be subject to enforcement action, the report said.

The GAO said the 11 agencies commented on a draft of the report prior to its release, and three agencies commented. The Department of Health and Human Services responded on behalf of the FDA, agreeing with GAO and committing to work with the Cybersecurity and Infrastructure Security Agency. The Department of Homeland Security responded in kind on behalf of CISA.

THE BIG TREND

Last year, the FDA released draft guidance on medical device cybersecurity, while the Federal Bureau of Investigation has drawn attention to the cybersecurity risks posed by legacy medical devices that, if exploited, could compromise healthcare facility operations, patient safety, data confidentiality, and can affect data integrity.

Meanwhile, vulnerabilities in the software and firmware that power medical devices and other healthcare IT applications continue to increase. Nearly four times as many people are being armed as last year, researchers at the Health Information Sharing and Analysis Center said in August.

FDAs definitive guidance, released in September, noted that the Consolidated Appropriations Act amended section 524B(a) of the FD&C Act to require developers to submit information that ensures cyber devices comply with cybersecurity requirements with their 510(k) premarket approval applications. Experts say such a software BOM will help federal resources and healthcare security teams better maintain medical device cybersecurity in the long term.

The FDA is also developing guidance for artificial intelligence and machine learning devices that will require change control plans in marketing submissions.

ON THE RECORD

“The FDA has developed a documented coordination agreement with CISA to support medical device cybersecurity; however, the agreement is outdated and does not reflect the organizational and procedural changes that have occurred over the past five years,” the GAO said in its report.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.