FDA cybersecurity agreement on medical devices needs updating, watchdog finds | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Medical devices like heart monitors, which are under the purview of the Food and Drug Administration, have cybersecurity vulnerabilities that aren’t frequently exploited but nevertheless pose risks to hospital networks and patients, according to a recent watchdog report. 

The Government Accountability Office highlighted that the FDA’s medical device cybersecurity formal agreement is five years old and needs to be updated with the help of the Cybersecurity and Infrastructure Security Agency, a move that would improve agency coordination and clarify responsibilities.  

“According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits,” the GAO report stated. 

“Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”

The GAO report found that the FDA’s authority over medical device cybersecurity has increased in recent years. This is attributable to December 2022 legislation that mandated that medical device manufacturers submit to FDA their plans to identify and address cybersecurity vulnerabilities for any new medical device that were introduced to consumers starting in March 2023. 

The GAO report also noted that FDA officials are currently implementing new cybersecurity authorities from past legislation and have not yet identified the need for any additional authority. 

According to FDA guidance, if medical device manufacturers do not fix cyber vulnerabilities, the agency can find that the manufacturers have violated federal law and can be penalized through enforcement actions.

The GAO report recommended that the FDA and CISA update their medical device cyber agreement to reflect organizational and procedural changes that have occurred. Both agencies agreed with the recommendations.

Written by Nihal Krishan

Nihal Krishan is a technology reporter for FedScoop. He came to the publication from The Washington Examiner where he was a Big Tech Reporter, and previously covered the tech industry at Mother Jones and Global Competition Review.

In addition to tech policy, he has also covered national politics with a focus on the economy and campaign finance. His work has been published in the Boston Globe, USA TODAY, HuffPost, and the Arizona Republic, and he has appeared on NPR, SiriusXM, and PBS Arizona. Krishan is a graduate of Arizona State University’s Walter Cronkite School for Journalism.

You can reach him at


Click Here For The Original Source.

National Cyber Security