GAO: Updated FDA medical device cyber agreement needed

FedScoop reports that the Food and Drug Administration has been recommended by the Government Accountability Office to update its five-year-old medical device cybersecurity agreement with the Cybersecurity and Infrastructure Security Agency to better address cybersecurity vulnerabilities impacting heart monitors and other medical devices. Even though the FDA has increased its hold over medical device cybersecurity following last year's legislation requiring vulnerability identification and remediation plans among medical device manufacturers, the agency has yet to determine additional cybersecurity authorities, according to the GAO. "According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits. Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity," said the GAO. GAO's recommendations were accepted by both FDA and CISA.