- The Department of Homeland Security and FDA announced Tuesday the two agencies have agreed to a new framework aiming to coordinate efforts on medical device cybersecurity.
- FDA's device center and the DHS Office of Cybersecurity and Communications will increase information sharing of potential or confirmed device vulnerabilities and threats under the memorandum of agreement.
- Under the agreement, DHS will continue to be the lead group coordinating a central medical device cybersecurity response among FDA, medical device manufacturers and researchers. FDA will be consulted for technical and clinical advice through calls with DHS "regarding the risk to patient health and potential for harm posed by identified cybersecurity threats and vulnerabilities."
The MOA simply formalizes what FDA says is an existing relationship that aims to protect patients who depend on medical devices by enhancing technical capabilities between DHS and FDA and accelerating standards development. It also establishes a new foundation that allows the National Protection and Programs Directorate to "support FDA as an independent third-party for technical assistance and testing."
"Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks," FDA said in a press release.
The agreement comes months after FDA launched its Medical Device Safety Action Plan. Earlier this month FDA published a cybersecurity playbook in coordination with the Mitre Corporation.
"The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns," FDA Commissioner Scott Gottlieb said in a statement. "But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone."
Christopher Krebs, undersecretary for the National Protection and Programs Directorate at DHS, pointed to the new agreement as another step towards mitigating vulnerabilities in medical devices.
"DHS has some of the top experts on control systems technology, and we look forward to continuing to leverage this expertise for the sake of improving the lives and safety of people across the country. DHS has enjoyed a great working relationship with the FDA for several years and look forward to this agreement making that working relationship even stronger and more effective," Krebs said in a statement.
Under the agreement, DHS and FDA must "develop a standard operating procedure for information sharing and exchange," within 90 days. They also are directed to establish safeguards to protect non-public information shared between the two agencies.