Report calls on federal agencies to update medical device cybersecurity agreement

Samantha Manning
·2 min read

Many medical devices like heart monitors or insulin pumps rely on connected networks.

They allow doctors, nurses, and other caretakers to track a patient’s status in real time and that data can be put into an electronic health records system.

But those network connections can also put the devices at risk of cyber-attacks.

A watchdog report from the U.S. Government Accountability Office (GAO) reveals the federal agencies in charge of making sure these devices are protected need to update its cybersecurity agreement.

The report warns that although a cyber-attack against a medical device is not common, an attack has the potential for serious consequences.

“Cyber incidents that impact medical devices could delay critical patient care, reveal sensitive data, shut down health care provider operations, and necessitate costly recovery efforts,” the report said.

We spoke with GAO about the potential dangers.

“Say there was a physician operating on a patient in an operating room and some attack happened. That patient would be losing minutes upon minutes of getting that provided service that they need,” said Jennifer Franks, Director of GAO’s Center for Enhanced Cybersecurity.

According to the report, 53 percent of connected medical devices and connected devices in hospitals had known critical vulnerabilities as of January 2022.

The findings say the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) developed an agreement for practices to protect cybersecurity for medical devices, but that agreement hasn’t been updated in five years.

“Yes, you’re highlighting that you have defined shared goals. You have addressed bridging organizational gaps. You’ve even defined some of the leaders that should be responsible in our organization but things that you have not done are ensuring accountability or identifying the relevant participants that are highlighted in those agreements,” said Franks about the need for updates. “What this could really help the agencies to do is to just better monitor and assess and even communicate progress short or long term so if a vulnerability did take place, where are you going to get your information and who is going to be leading said information.”

In a statement, Stephen Hughes, Director of Health Information and Technology Policy for the American Hospital Association said: “The American Hospital Association appreciates the ongoing collaboration between FDA and the Cybersecurity and Infrastructure Security Agency (CISA) as well as the vigilance of FDA in requiring medical device manufactures to monitor, identify and address cybersecurity vulnerabilities for all devices introduced after March 2023. In addition, we appreciate the pressure they’ve put on device manufactures to continue providing support and critical security updates on devices that are already in use. However, the AHA feels that the FDA and CISA need to carefully consider the clinical, operational and financial challenges facing hospitals when older medical devices that are still functional, safe and useful, can no longer be protected from cyber security threats and may not be easily replaceable. Given that many of these devices, such as heart monitors and infusion pumps, are critical components to delivering care, any disruption to the device or the system supporting those devices could put a patient directly at risk.”