The U.S. Food and Drug Administration (FDA) announced an agreement with the U.S. Department of Homeland Security (DHS) to strengthen the partnership between the agencies and “stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities.”
The agreement formalizes a long-standing relationship by developing a new framework for greater coordination and cooperation. As part of the new framework, specific responsibilities have been assigned to the FDA and the National Protection and Programs Directorate (NPPD), a component of the DHS. The following table provides a breakdown of the responsibilities outlined in the agreement:
|FDA Responsibilities||NPPD Responsibilities|
|1. Coordinate and participate in regular, ad hoc, and emergency coordination calls to enhance mutual awareness of vulnerabilities and threats||1. Serve as central medical device vulnerability coordination center|
|2. Provide NPPD with draft public releases to facilitate coordination of messaging||2. Participate in regular, ad hoc, and emergency coordination calls with FDA to enhance mutual awareness of vulnerabilities and threats|
|3. Comment in a timely manner on NPPD draft advisories and alerts||3. Confer with entities providing sensitive information prior to sharing any CCI, trade secret, or PCII-protected vulnerability or product information with the FDA|
|4. Assess the risk to health and patient harm when potential impact is disputed||4. Coordinate with FDA on the content of alerts and advisories to be published by DHS|
|5. Submit requests to NPPD for independent third-party technical assistance to analyze and test medical systems||5. Maintain technical capabilities to support requests for independent third-party analysis regarding the impact of vulnerabilities|
|6. Share non-trade secret information to resolve disputes of risk, impacts, and communication||6. Publish healthcare and public health related alerts and advisories|
In summary, the DHS will serve as the central coordination center and interface with appropriate stakeholders, and the FDA will provide technical and clinical expertise regarding medical devices.
FDA Commissioner Scott Gottlieb, M.D., during his discussion of the new agreement, addressed the FDA’s continued commitment to confront cybersecurity risk, while also recognizing the need for increased coordination between government agencies:
The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns . . . But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. That’s why this announcement is so important.
This agreement is not the first time a government agency has reached out to the FDA in an effort to strengthen medical device cybersecurity. As previously reported on the KnobbeMedical blog, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General recommended earlier this year that the FDA include cybersecurity review as a greater part of the premarket review process for medical devices (e.g., through the inclusion of a Refuse-To-Accept checklists). This new FDA-DHS agreement is another example of continuing attempts to address ongoing medical device cybersecurity risks.