According to the Department of Health and Human Services (HHS), existing data on cybersecurity incidents within hospitals does not indicate a prevalence of exploits targeting vulnerabilities in medical devices. However, HHS emphasizes that medical devices remain a focus of cybersecurity concerns and deserve significant attention. Although these devices have not been widely exploited based on available data, they still pose a potential threat to hospital cybersecurity, as shown in the accompanying diagram.
Figure: Example of a compromised medical device that can lead to disruption of other devices on the hospital network
Non-federal entities, including health care providers, patients, and other stakeholders, have expressed challenges using federal assistance to address cybersecurity vulnerabilities. These challenges include a lack of awareness about available resources and contacts, and difficulty understanding vulnerability notifications from the federal government. Notably, key government agencies have taken steps to address these concerns, and their effectiveness is contingent on successful implementation.
Importantly, leading agencies are actively coordinating efforts to manage medical device cybersecurity. The agreement established five years ago by the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) has featured many collaborative best practices. However, this agreement must be updated for organizational and procedural changes starting in 2018.
Recent legislation, effective December 2022, expands the FDA’s authority over medical device cybersecurity. Under the law, manufacturers are required to submit plans to monitor, identify, and address cybersecurity vulnerabilities in new medical devices introduced after March 2023. Importantly, this legislation is prospective and will not apply retroactively to devices introduced before March 2023, unless the changes result in a new marketing application.
FDA officials are implementing new cybersecurity powers, but do not see a need for additional powers at this time. Existing measures, such as monitoring alerts from health departments and his CISA, instructing manufacturers to communicate vulnerabilities to their user communities, and implementing remediation as necessary, are within their current capabilities.
Specifically, the FDA’s guidance authorizes FDA officials to take enforcement action if a manufacturer fails to fix a vulnerability and a device may be discovered that violates federal law. Given the significant impact of cyber threats on medical devices, including disruption of patient care, leakage of sensitive data, and outages, FDA has a critical role to play in ensuring the safety and effectiveness of these devices. Masu.
The Consolidated Appropriations Act of 2023 required GAO to conduct cybersecurity reviews of medical devices. This report describes the challenges faced by relevant non-federal agencies, the actions taken by federal agencies to address the identified challenges, the coordination efforts of key agencies in medical device cybersecurity, and the Systematically addresses the limitations on the authority of government agencies.
In conducting this assessment, GAO identified federal agencies with roles in medical device cybersecurity and engaged with 25 non-federal agencies representing a diverse range of stakeholders. The evaluation included interviews, document review, and comparison of the coordination effort with established collaboration best practices, supplemented by research into relevant legislation and guidance.
Read the full GAO report here.