The Government Accountability Office (GAO) recommended the U.S. FDA and the Cybersecurity and Infrastructure Security Agency (CISA) update a five-year old agreement coordinating medical device cybersecurity to reflect the FDA’s increased authority. The FDA, CISA and other key agencies originally teamed up in 2018 to better coordinate medical device cybersecurity communication with manufacturers and healthcare facilities.
The agreement was made after healthcare providers and other relevant parties detailed the challenges they were facing with a lack of awareness of resources or contacts and difficulties understanding vulnerability communications from the federal government.
However since that time, the GAO found that the original agreement needed to be updated to reflect organizational and procedural changes that occurred since 2018.
The FDA, in particular, has gained authority in medical device cybersecurity based on December 2022 legislation that requires medical device manufacturers to submit to the FDA their plans to monitor, identify and address cybersecurity vulnerabilities for any new medical devices introduced after March 2023.
Earlier this year the GAO was tasked with reviewing cybersecurity in medical devices through which it produced a report that identified the ways the original agreement needed to be updated. Both the FDA and CISA have agreed with the GAO’s recommendations.
