In the ongoing battle against hackers, the Department of Homeland Security (DHS) and the Food and Drug Administration (FDA) have issued a memorandum of agreement to create a new framework for better coordination on the hacking front.

“As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients. The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” said FDA Commissioner Dr. Scott Gottlieb.

But fighting hackers and keeping medical devices cyber-safe is bigger than any single government agency, as it is so multifaceted that each has a “unique” role to play. The new arrangement addresses the need for this type of all-front approach.

“Our strengthened partnership with DHS will help our two agencies share information and better collaborate to stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities, and assist the healthcare sector in being well positioned to proactively respond when cyber vulnerabilities are identified,” he stressed.

Calling spotting and fixing medical device vulnerabilities a “a top priority,” Christopher Krebs, undersecretary for the National Protection and Programs Directorate at DHS, stated that the agency has “some of the top experts on control systems technology, and we look forward to continuing to leverage this expertise for the sake of improving the lives and safety of people across the country.”

The working relationship has been ongoing for a number of years, most notably around coordination of vulnerability disclosures, and the agreement will build on that. It will enable the FDA’s Center for Devices and Radiological Health and DHS’ Office of Cybersecurity and Communications to have increased coordination about vulnerabilities and threats, the agencies added.

DHS will remain the central medical device vulnerability coordination center and communicate with the various stakeholders, including medical device manufacturers, researchers and the FDA, “particularly in the event of cybersecurity vulnerabilities in medical devices that are identified to the Department of Homeland Security,” it noted.

The agreement is timely in light of the ongoing hacking episodes in both the healthcare space and worldwide in all sectors.

In 2018, Philips, Silex and GE hack vulnerabilities were found in May and March, for example, when DHS issued cyber vulnerability advisories for the Philips Brilliance CT system, and the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.

And in August, some Siemens PET/CT scanners were found vulnerable to hacking, both the company and the Department of Homeland Security's Industrial Control System Computer Emergency Response Team (ICS-CERT) advised.

“Exploits that target these vulnerabilities are publicly available,” the ICS-CERT advisory noted, adding that, “an attacker with low skill would be able to exploit these vulnerabilities.”

The hacks can threaten life – but also the pocketbook.

On Monday, Anthem agreed to a record $16 million government fine to settle any possible violations of patient privacy rules over its massive hack in 2014-15 that exposed personal data of almost 80 million patients, including names, birth dates, Social Security numbers and medical IDs.

Health IT Homepage