Saturday, December 23, 2023

GAO Reports – Week of 12-16-23 – Medical Device Cybersecurity Oversight

This week the Government Accountability Office (GAO) published a report on “Medical Device Cybersecurity”. The report was required by last year’s consolidated spending bill (§3305 of PL 117-328, 136 STAT. 5832). That section added §524B, Ensuring Cybersecurity of Devices, to the Federal Food, Drug, and Cosmetic Act. Subsection (g) of that new section required the GAO to examine:

Challenges for device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies,

How Federal agencies can strengthen coordination to better support cybersecurity for devices, and

Statutory limitations and opportunities for improving cybersecurity for devices.

The report identifies the agencies of the Federal government that share some level of responsibility for oversight of medical device cybersecurity with the Food and Drug Administration. In addition to various HHS agencies, these include CISA and the FBI.

While a number of agencies are named in this report, the GAO is only making recommendations to two agencies in this report. While there are two recommendations, they are actually two sides of the same one, for the FDA and CISA “to update the agencies’ agreement to reflect organizational and procedural changes that have occurred” since the current agreement was signed in 2018. 

No comments:

/* Use this with templates/template-twocol.html */