As per the Department of Health and Human Services (HHS), existing data on cybersecurity incidents within hospitals do not indicate a prevalence of exploits targeting medical device vulnerabilities. However, HHS emphasizes that medical devices remain a focal point of cybersecurity concern, meriting considerable attention. These devices, while not extensively exploited according to available data, still pose potential threats to hospital cybersecurity, as illustrated in the accompanying figure.
Figure: Example of a Compromised Medical Device That Can Lead to Disruption of Other Devices on a Hospital Network
Non-federal entities, encompassing healthcare providers, patients, and other pertinent stakeholders, have voiced challenges in accessing federal assistance to address cybersecurity vulnerabilities. These challenges include a lack of awareness regarding available resources or contacts and difficulties comprehending vulnerability communications from the federal government. Notably, key agencies have undertaken measures to address these concerns, with potential effectiveness contingent on successful implementation.
Crucially, major agencies are actively coordinating efforts to manage medical device cybersecurity. An agreement established five years ago by the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) has addressed many collaborative best practices. However, this agreement requires updating to align with organizational and procedural changes since 2018.
Recent legislation, effective from December 2022, has expanded FDA authority over medical device cybersecurity. Under this legislation, manufacturers are mandated to submit plans to monitor, identify, and address cybersecurity vulnerabilities for new medical devices introduced from March 2023 onwards. Importantly, this legislation is prospective and does not retroactively apply to devices introduced before March 2023, unless changes prompt a new marketing application.
While FDA officials are implementing new cybersecurity authorities, they have not identified a need for additional authority at this stage. Existing measures, such as monitoring alerts from the health sector and CISA, directing manufacturers to communicate vulnerabilities to user communities, and enforcing remediation when necessary, fall within their current capabilities.
Notably, FDA guidance empowers the agency to take enforcement actions if manufacturers fail to rectify vulnerabilities, potentially finding devices in violation of federal law. Given the critical implications of cyber threats on medical devices, including disruptions to patient care, exposure of sensitive data, and operational shutdowns, FDA plays a pivotal role in ensuring the safety and effectiveness of these devices.
The Consolidated Appropriations Act, 2023, mandated GAO to conduct a review of cybersecurity in medical devices. This report systematically addresses the challenges faced by relevant non-federal entities, the measures taken by federal agencies to address identified challenges, the coordination efforts of key agencies in medical device cybersecurity, and any limitations in agencies’ authority over medical device cybersecurity.
GAO, in undertaking this evaluation, identified federal agencies with roles in medical device cybersecurity and engaged with 25 non-federal entities representing diverse stakeholders. The assessment involved interviews, document reviews, and a comparison of coordination efforts against established collaboration best practices, supplemented by an examination of relevant legislation and guidance.
Read the full GAO report here.