U.S. flag An official website of the United States government

On Oct. 1, 2024, the FDA began implementing a reorganization impacting many parts of the agency. We are in the process of updating FDA.gov content to reflect these changes.

  1. Home
  2. About FDA
  3. Partnerships: Enhancing Science Through Collaborations With FDA
  4. FDA Memoranda of Understanding
  5. Domestic MOUs
  6. MOU 225-16-024
  1. Domestic MOUs
MEMORANDUM OF UNDERSTANDING
BETWEEN THE NATIONAL HEALTH INFORMATION SHARING & ANALYSIS CENTER, INC. (NH-ISAC),
Medical Device Innovation, Safety and Security Consortium (MDISS)
AND THE U.S. FOOD AND DRUG ADMINISTRATION
CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
 
 
I.        Purpose:
 
The United States Food and Drug Administration (FDA)’s Center for Devices and Radiological Health (CDRH) and The National Health Information Sharing & Analysis Center, Inc. (NH-ISAC) and The Medical Device Innovation, Safety and Security Consortium (MDISS) have a shared interest in encouraging the identification, mitigation, and prevention of cybersecurity threats to medical devices.   FDA, NH-ISAC and MDISS are each referred to individually as a “Party” and collectively as the “Parties.” This Memorandum of Understanding (MOU) establishes the terms for collaboration to promote this shared interest. This MOU supersedes MOU 225-14-0019 that had been previously executed on August 26, 2014, between FDA and NH-ISAC.
 
II.      Background:         
 
1.      FDA is authorized to enforce the Federal Food, Drug, and Cosmetic Act (“the Act”) as amended (21 U.S.C. 301). In fulfilling its responsibilities under the Act, FDA among other things, directs its activities toward promoting and protecting the public health by ensuring the safety, efficacy, and security of drugs, biological products, veterinary products, medical devices and radiological products and the safety and security of foods and cosmetics. CDRH is responsible for assuring that patients and providers have timely and continued access to safe, effective, and high-quality medical devices and safe radiation-emitting products.  To accomplish its mission, FDA takes efforts to stay abreast of the latest technological advances and developments in research by communicating with stakeholders about complex scientific and public health issues. 
 
2.      NH-ISAC, a member owned non-profit organization, is the Information Sharing and Analysis Center (ISAC) for the nation’s healthcare and public health critical infrastructure, recognized by the U.S. Department of Health and Human Services (HHS), the HHS Health Sector Coordinating Council (SCC), the US Department of Homeland Security (DHS), the National Council of ISACs (representing all the nation’s critical infrastructures ISACs), intelligence agencies, law enforcement and the health sector.
 
NH-ISAC is a member-driven system of security intelligence information exchange among trusted entities for the purposes of providing members with actionable cybersecurity for intelligence situational awareness, information sharing capabilities supporting effective countermeasure solutions, and coordinated cybersecurity incident response. As a non-profit organization, NH-ISAC represents a trusted community comprised of national healthcare and public health critical infrastructure owners and operators and the organizations supporting the health sector.
 
The mission of the NH-ISAC is to foster, enable and preserve the public trust by advancing health sector physical and cybersecurity resilience and the ability to prepare for and respond to threats and vulnerabilities.
 
3. MDISS is an initiative of the non-profit Foundation for Innovation, Translation and Safety Science (FITSS). MDISS is a member-driven collaborative and inclusive nonprofit organization committed to advancing quality health care with a focus on cyber security of health technology including medical devices. The MDISS organization and its programs develop and deliver best practices in public health, safety science and cyber physical system security to address the complex challenges associated with cybersecurity risk of healthcare technology and its impact on patient safety and privacy. MDISS medical device stakeholders include providers, payers, manufacturers, universities, government agencies, technology companies, individuals, patients, patient advocates and associations.
 
MDISS and NHISAC collaborations deliver important synergies that enable scalable public health programs, at the national and international levels, that contribute to safer medical devices, healthcare delivery organizations and critical infrastructure. This includes but is not limited to the National Healthcare Technology Cyber Surveillance and Safety Network.
 
4.  Executive Order 13636 articulates that cyber threats continue to grow and are one of the most serious threats to national security. Furthermore, Presidential Policy Directive 21 tasks federal government entities with the responsibility to strengthen the security and resilience of critical infrastructure (e.g. the Healthcare and Public Health sector) against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. As part of sector-specific cybersecurity initiatives, CDRH seeks to create a collaborative information-sharing environment and decision framework that reduces risks to the public’s health and allows rapid sharing of medical device vulnerabilities, threats, and mitigations within the hospital and healthcare ecosystem.
 
The NH-ISAC, given its unique position as a non-profit organization, and it’s recognition by DHS, HHS, and Healthcare SCC as the ISAC for the Healthcare and Public Health (HPH) Sector, is an essential partner in developing this collaborative information-sharing environment and decision framework. By leveraging the relationships that the NH-ISAC has already developed with public and private sector stakeholders, it will be able to develop the specialized knowledge, processes and analytical capabilities needed to assess and drive cybersecurity vulnerability mitigation in the HPH sector.
 
The MDISS stakeholder community has developed important trusted relationships as well as critical technical, policy and healthcare delivery expertise related to cybersecurity of healthcare technology. By framing healthcare technology cybersecurity as a public health challenge, MDISS, in collaboration with NH-ISAC, the FDA and other key stakeholders, has been able to leverage public health best practices to design and deploy collaborative information systems to support medical device risk assessment, surveillance and threat intelligence, and vulnerability information sharing.
 
III.     Goals of Collaboration:
 
1.      Create an environment that fosters stakeholder collaboration and communication, and encourages the sharing of information about cybersecurity vulnerabilities that may affect the safety, effectiveness and security of the medical devices, and/or the integrity and security of the surrounding healthcare IT infrastructure. Ultimately, exploited vulnerabilities may have downstream public health and patient safety consequences.
 
2.      Develop awareness of the Framework for Improving Critical Infrastructure Cybersecurity (developed by the National Institute for Standards and Technology, herein referred to as NIST, with collective input from other government agencies and the private sector), and enable HPH sector stakeholders to successfully adapt and operationalize the framework for their organizations and products.
 
3.      Encourage stakeholders within the HPH Sector, to develop innovative strategies to assess and mitigate cybersecurity vulnerabilities that affect their products.
 
4.      Build a foundation of trust within the HPH community (including but not limited to medical device manufacturers, end user facilities, providers and healthcare organizations) so that all healthcare technology and medical device stakeholders can directly benefit from the sharing of cybersecurity vulnerability- and/or threat information identified within the HPH Sector, as well as intelligence feeds from other Critical Infrastructure Sectors that may secondarily affect healthcare and the public health. Gaining timely situational awareness of cybersecurity vulnerabilities that can have negative consequences for patient safety provides stakeholders with an opportunity to share solutions in advance of potential harm and possibly prevent economic or ‘brand’ damage. It would further enable owners and operators of critical infrastructure to proactively take appropriate measures to strengthen cybersecurity within the HPH sector with accuracy and agility.
 
IV.      Substance of the Agreement:
 
1.      FDA intends to establish a mechanism by which information regarding cybersecurity vulnerabilities and threats can be shared with the NH-ISAC and MDISS. This MOU does not authorize, and FDA does not intend to, share any confidential commercial, trade secret, or personal privacy information with NH-ISAC or MDISS pursuant to this MOU.
 
2.      NH-ISAC and MDISS intend to work with their members to establish a mechanism by which cybersecurity vulnerabilities relevant to medical devices are shared with FDA, such that the existing agreements among NH-ISAC and MDISS members will not be infringed upon. 
 
3.      The parties intend to work together to establish how stakeholders can interface with FDA regarding medical device or healthcare cybersecurity vulnerability information-sharing. This collaboration will help inform a common understanding of that risk threshold upon which exploit of a vulnerability might impact on patient safety and/or public health. This includes but is not limited to the (a) NH-ISAC-MDISS collaborative Information Sharing and Analysis Organization (ISAO) function in support of the FDA post-market guidance (Ref) and (b) National Healthcare Technology Cyber Surveillance and Safety Network.
 
4.      The parties intend to collaborate to develop a shared understanding of the risks posed by cybersecurity vulnerabilities to medical devices. The parties also intend to foster the development of a shared risk assessment framework to enable stakeholders to consistently and efficiently assess patient safety and public health risks associated with identified cybersecurity vulnerabilities and take timely, appropriate action to mitigate the risks. This approach will also enable stakeholders to provide timely situational awareness to the HPH community and take efforts to preemptively address the cybersecurity vulnerability through appropriate mitigation and/or remediation before it impacts the safety, effectiveness or security of medical devices, or the integrity/security of the Healthcare IT infrastructure.
 
5.      Each Party will establish a principal point of contact to facilitate the actions carried out under this MOU.
 
V.      General Provisions:
 
1.      This MOU represents the broad outline of the Parties’ intention to collaborate in areas of mutual interest. All activities that may be undertaken by this MOU are subject to the availability of personnel, resources, and funds. This MOU does not affect or supersede any existing or future understandings or arrangements between the Parties and does not affect the ability of the Parties to enter into other understandings or arrangements related to this MOU. This MOU does not create binding, enforceable obligations against any Party. This MOU and all associated agreements will be subject to the applicable policies, rules, regulations, and statutes under which FDA, the NH-ISAC and MDISS operate.
 
2.      Data Sharing Guidelines: The Parties may enter into separate Confidential Disclosure Agreements (CDAs) pertaining to certain data and information shared in accordance with this MOU. In accordance with applicable law and regulations, including, but not limited to, 21 U.S.C. 331(j), 21 U.S.C. 360j(c), 18 U.S.C. 1905, 21 CFR 20.61 and 20.63, FDA will not share any confidential commercial information, trade secrets, or personal privacy information with NH-ISAC or MDISS pursuant to this MOU. 
 
VI.     Liaison Officers:
 
A. For the NH-ISAC
 
Denise Anderson
President/CEO
NH-ISAC
Global Institute for Cybersecurity and Research
NASA/Kennedy Space Center, NASA Parkway West
State Road 405, Building M6-306
Kennedy Space Center, FL 32899
 
B. For the Food and Drug Administration  
 
Suzanne B. Schwartz, MD, MBA
Associate Director for Science and Strategic Partnerships
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Building 66, Room 5434
Silver Spring, MD 20993
301-796-6937
 
or
 
Seth Carmody, PhD
Senior Project Manager for Cybersecurity
Emergency Preparedness/Operations and Medical Countermeasures (EMCM) Program
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Building 66, Room 4652
301-796-6944Seth.carmody@fda.hhs.gov
 
C. For Medical Device Innovation, Safety and Security (MDISS) Consortium
 
Dale Nordenberg, MD
Executive Director
3620 Oxford Ave, Suite 3A
Bronx, NY 10463
 
Each Party may designate new liaisons at any time by notifying the other Party's administrative liaison in writing. If, at any time, an individual designated as a liaison under this agreement becomes unavailable to fulfill those functions, the Parties will name a new liaison within two (2) weeks and notify the other Party through the designated administrative liaison.
 
VII. Term, Termination, and Modification:
 
This agreement, when accepted by all participating Parties, will have an effective period of performance of five (5) years from the date of the latest signature and may be modified or terminated by mutual written consent by both Parties or may be terminated by either Party upon a thirty (30) day advance written notice to the other.
 
APPROVED AND ACCEPTED
NH-ISAC
 
Denise Anderson
President/CEO
September 2016
  
APPROVED AND ACCEPTED
MDISS
 
Dale Nordenberg, MD
Executive Director
September 2016
 
APPROVED AND ACCEPTED
FOOD AND DRUG ADMINISTRATION
 
Jeffrey Shuren, M.D., J.D.
Director
Center for Devices and Radiological Health
September 2016

 

Back to Top