FDA & DHS Coordinate Efforts to Address Cybersecurity

The U.S. Food and Drug Administration (FDA) announced an agreement with the U.S. Department of Homeland Security (DHS) to strengthen the partnership between the agencies and “stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities.”

The agreement formalizes a long-standing relationship by developing a new framework for greater coordination and cooperation. As part of the new framework, specific responsibilities have been assigned to the FDA and the National Protection and Programs Directorate (NPPD), a component of the DHS. The following table provides a breakdown of the responsibilities outlined in the agreement:

FDA Responsibilities NPPD Responsibilities
1. Coordinate and participate in regular, ad hoc, and emergency coordination calls to enhance mutual awareness of vulnerabilities and threats 1. Serve as central medical device vulnerability coordination center
2. Provide NPPD with draft public releases to facilitate coordination of messaging 2. Participate in regular, ad hoc, and emergency coordination calls with FDA to enhance mutual awareness of vulnerabilities and threats
3. Comment in a timely manner on NPPD draft advisories and alerts 3. Confer with entities providing sensitive information prior to sharing any CCI, trade secret, or PCII-protected vulnerability or product information with the FDA
4. Assess the risk to health and patient harm when potential impact is disputed 4. Coordinate with FDA on the content of alerts and advisories to be published by DHS
5. Submit requests to NPPD for independent third-party technical assistance to analyze and test medical systems 5. Maintain technical capabilities to support requests for independent third-party analysis regarding the impact of vulnerabilities
6. Share non-trade secret information to resolve disputes of risk, impacts, and communication 6. Publish healthcare and public health related alerts and advisories

In summary, the DHS will serve as the central coordination center and interface with appropriate stakeholders, and the FDA will provide technical and clinical expertise regarding medical devices.

FDA Commissioner Scott Gottlieb, M.D., during his discussion of the new agreement, addressed the FDA’s continued commitment to confront cybersecurity risk, while also recognizing the need for increased coordination between government agencies:

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns . . . But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. That’s why this announcement is so important.

This agreement is not the first time a government agency has reached out to the FDA in an effort to strengthen medical device cybersecurity. As previously reported on the KnobbeMedical blog, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General recommended earlier this year that the FDA include cybersecurity review as a greater part of the premarket review process for medical devices (e.g., through the inclusion of a Refuse-To-Accept checklists). This new FDA-DHS agreement is another example of continuing attempts to address ongoing medical device cybersecurity risks.

Albert Sueiras
Albert Sueiras is an associate in the Orange County office. Mr. Sueiras received his bachelor's degree in Biomedical Engineering, cum laude, from the University of Miami and also received his master's degree in Biomedical Engineering, cum laude, from the University of Florida. He received his J.D. from the University of Florida Levin College of Law, where he was a member of Phi Delta Phi. During law school, Mr. Sueiras externed at the United States Patent and Trademark Office within Art Unit 3733, focusing on patent examination of orthopedic surgical instrumentation. Mr. Sueiras also participated in a patent prosecution externship at Banyan Biomarkers, Inc. in Alachua, Florida, a firm specializing in the discovery of biomarkers for traumatic brain injury and neurotoxicity. Mr. Sueiras worked as a summer associate at the firm in 2015 and joined the firm in 2016.
Click here to read full bio
View all posts published by Albert Sueiras »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.