The Government Accountability Office (GAO) has recommended that the Food and Drug Administration (FDA) update its five-year-old medical device cybersecurity agreement with the Cybersecurity and Infrastructure Security Agency (CISA). The update is necessary to address cybersecurity vulnerabilities in heart monitors and other medical devices. While the FDA has increased its oversight of medical device cybersecurity, it has not determined additional cybersecurity authorities, according to the GAO. The FDA and CISA have accepted the GAO’s recommendations.
The GAO notes that available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been commonly exploited. However, the Department of Health and Human Services (HHS) still considers medical devices a source of cybersecurity concern that warrants significant attention and can introduce threats to hospital cybersecurity. The GAO’s recommendation for an updated agreement reflects the need to proactively address potential vulnerabilities and protect patient safety.