In a recent letter to the Office of Management and Budget (OMB), the board also recommended that the US Computer Emergency Readiness Team (US-CERT) handle reporting of cybersecurity incidents involving medical devices.
In addition, the FDA should work with the National Institute of Standards and Technology (NIST) to develop cybersecurity features for medical devices that could be enabled by default, the board advised.
“Software-controlled medical devices are increasingly available through and exposed to cybersecurity risks on the internet: examples range from desktop computers controlling radiological imaging to customer embedded software found in pacemakers”, the board warned.
“Further complicating this picture, the economics of medical device cybersecurity involves a complex system of payments between multiple stakeholders – including manufacturers, providers, and patients. At the same time, no one agency has primary responsibility from Congress to ensure the cybersecurity of medical devices deployed across this spectrum”, the board observed.
The board is also recommending that one federal agency should be responsible for establishing training and education programs regarding the risks associated with networked and wireless medical devices.
In a separate letter to OMB, the board recommended that outdated computer operating system used by the federal government should be phased out. “This would have a significant positive impact on the cybersecurity posture of federal agencies, and would demonstrate security leadership by example from the government”, the board explained.