GAO Report: FDA Needs to Renew Medical Device Cybersecurity Agreement With CISA

The Government Accountability Office said the Food and Drug Administration needs to update medical device cybersecurity protocols it made with the Cybersecurity and Infrastructure Security Agency to mitigate health care-related risks.

The GAO’s report found that while minimal exploits on medical devices exist, the FDA and CISA must update their formal agreement on device security to minimize threats against hospitals, health care networks and patients. The federal oversight body found that the FDA has been increasingly monitoring health care devices and is implementing new authorities from past legislation.

The FDA and CISA agreed with the GAO’s recommendations, FedScoop reported Tuesday.

Beyond medical device security, the FDA has ramped up cybersecurity oversight and technological capabilities for the health care sector.

In October, the agency introduced the Digital Health Advisory Committee, which advises the FDA on emerging technologies, health devices and other products that can be used across the health care sector. The committee was also tasked with providing expertise to improve the agency’s understanding of the risks and benefits associated with new technologies.

Earlier in the month, the FDA implemented a new rule under the Food, Drug and Cosmetic Act that requires medical equipment manufacturers to ensure that internet-connected devices have built-in security features to prevent hackers from maliciously accessing them.