FDA Releases Cybersecurity Modernization Plan

The FDA has released an action plan for modernizing the agency’s cybersecurity capabilities, a component of the FDA digital transformation project. This plan uses the Zero Trust paradigm for cybersecurity, which requires authentication for all users both inside and outside the agency, an approach that helps to ensure that proprietary information included in a manufacturer’s regulatory submissions will remain secure.

This cybersecurity Modernization Action Plan, or MAP, is a response to the 457% increase in attempted hacks of the agency’s website during the COVID-19 pandemic. This increase included activities such as attempted denials of service and a total of 9.5 billion firewall intrusion and detection blocks each month. The Office of Management and Budget announced Jan. 26 that federal government agencies would have to adopt the Zero Trust framework to ensure the security of those agencies’ web portals.

The underpinnings of the FDA approach to Zero Trust are found in a special publication by the National Institute for Standards and Technology, which requires both authentication and authorization of a user, regardless of location. This approach also presumes that the location of the network in question is no longer the prime component of the organization’s cybersecurity posture, a consequence of the increasing range of points of access, such as any use of cloud IT storage and the increase in remote use of the network.

The FDA MAP also leverages the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model and will make use of artificial intelligence (AI) tools to evaluate ongoing activity for any potential for cybersecurity breaches. The plan acknowledges the need to invest further in the FDA’s cybersecurity team but offers no details as to how many new hires this will require.

The implementation plan consists of five elements of Zero Trust, beginning with a robust set of identity credentialing and access management tools and multi-factor authentication. The second element, or pillar, is the deployment of a series of tools to track the activities of computers to evaluate any potential illicit activity. The third, fourth and fifth pillars consist of surveillance of the network environment, application workload management, and protection and encryption of data found in the FDA’s IT systems.

The deployment of the MAP will require the enactment of three support pillars, including analytics that feed into a dashboard for FDA staff to monitor activity in the various systems in use at the agency. The second support pillar consists of a greater degree of automation of cybersecurity tools and the formation of governance committees to oversee the implementation of the MAP.

Sen. Mark Warner (D-Va.) released a white paper on cybersecurity in November, which states that American citizens experienced a 32% increase in cyberthreats in 2021 compared to 2020 because of attacks on health care IT systems. The paper cites a reliance on legacy IT systems as a source of concern about these events, along with the ever-increasing number of connected devices. Warner stated that the value of health information on the black market now exceeds the value of credit card information, adding that the health care industry suffers the highest cost per target of any industry in the U.S. The paper poses several questions about U.S. national cybersecurity policy, such as whether the Department of Health and Human Services (HHS) is adequately fulfilling its role as the sector risk management agency (SRMA) for agencies operating under the HHS umbrella.

Warner stated that the cybersecurity question implicates protection of intellectual property, citing the People’s Republic of China as a source of such concerns. The paper also raises the question of whether the Health Insurance Portability and Accountability Act (HIPAA) should be updated in order to reflect the more routine threat posed by cybersecurity breaches, including the possibility that a wider range of entities would be subject to regulations promulgated under HIPAA. However, the paper also suggests that privacy and cybersecurity might be more appropriately addressed in separate legislation and distinct regulatory regimes.

Stark law and the Anti-Kickback Statute may also be revised, Warner stated, because of concerns that existing safe harbors may be an impediment to the sharing of cybersecurity resources. However, the risk of an expanded safe harbor might include that the health care organizations that receive donated cybersecurity resources will externalize the cost and responsibility for cybersecurity to the detriment of patients.