MOU 225-25-002
Memorandum of Understanding
Between
Veterans Health Administration
Office of Healthcare Technology Management
And
The U.S. Food and Drug Administration
Center for Devices and Radiological Health
I. Purpose
The United States Food and Drug Administration (“FDA”)’s Center for Devices and Radiological Health (“CDRH”) and the Veterans Health Administration (“VHA”)’s Office of Healthcare Technology Management (“HTM”) have a shared interest in the cybersecurity of medical devices regulated by the FDA and used by VHA to fulfill their mission of providing quality healthcare to Veterans. FDA and VHA are each referred to herein individually as a “Party” and collectively as the “Parties.” This Memorandum of Understanding (“MOU”) establishes the terms for collaboration to promote this shared interest.
II. Background
1. FDA is authorized to enforce the Federal Food, Drug, and Cosmetic Act (“the FD&C Act”) as amended (21 U.S.C. 301, et seq.). In fulfilling its responsibilities under the FD&C Act, FDA, among other things, directs its activities toward promoting and protecting the public health by ensuring the safety, efficacy, and security of drugs, biological products, veterinary products, medical devices, and radiological products, and the safety and security of foods and cosmetics. CDRH is responsible for assuring that patients and providers have timely and continued access to safe, effective, and high- quality medical devices and safe radiation-emitting products. To accomplish its mission, FDA takes efforts to stay abreast of the latest technological advances and developments in research by communicating with stakeholders about complex scientific and public health issues.
2. The VHA is America’s largest integrated healthcare system, providing care at 1,321 healthcare facilities, including 172 medical centers and 1,138 outpatient sites of care of varying complexity (VHA outpatient clinics), serving 9 million enrolled Veterans each year, across more than 150 global locations. HTM is tasked with supporting over 900,000 medical devices and 2,000 biomedical engineering professionals. Of these medical devices, over 155,000 are networked and supported by a smaller percentage of biomedical engineering staff. Cybersecurity is a key factor in ensuring that these devices safely and effectively deliver care.
3. Executive Orders 13636 and 14028 articulate that cyber threats continue to grow and are one of the most serious threats to national security. Furthermore, National Security Memorandum 22 tasks federal government entities with the responsibility to strengthen the security and resilience of critical infrastructure (e.g., the Healthcare and Public Health sector) against physical and cyber threats such that these efforts reduce vulnerabilities, minimize consequences, and identify and disrupt threats. As part of sector-specific cybersecurity initiatives, CDRH and HTM seek to create a collaborative, information-sharing environment that manages cyber risk to the public’s health and allows rapid sharing of medical device cybersecurity information within the federal hospital and healthcare ecosystem.
Ill. Goals of Collaboration
1. Create a shared understanding of each Party’s authorities, policies, and procedures to ensure that each Party understands how their policies may affect the other and where opportunities for refinement may exist.
2. Create an established forum through which the Parties may collaborate on medical device cybersecurity policy, such as the harmonization of requirements, expectations, or recommendations for cybersecure medical device design and deployment.
3. Provide a mechanism through which the Parties may share information related to cyber threats or incidents that may affect or have affected medical devices, such that each Party can take appropriate actions to protect the public health. The timely sharing of such information and associated collaboration serves the public interest in the operation of safe and secure medical devices in the federal healthcare ecosystem.
4. Establish a forum of subject matter experts in medical device cybersecurity and other appropriate stakeholders of the Parties that may collaborate on issues, activities, engagements, and stakeholder education related to the cybersecurity of medical devices.
IV. Substance of the Agreement
1. Each Party intends to share appropriate cyber threat and incident information related to medical devices with the other Party.
2. Where appropriate, the Parties may establish mechanisms for sharing collaborative work with other federal healthcare sector entities and other stakeholders. These additional parties would need to enter separate agreements for such collaborative work.
3. Each Party will establish and maintain a principal point of contact to facilitate the actions carried out under this MOU.
4. This MOU will involve the exchange of information which is governed by 21 C.F.R. § 20.85, Disclosure to other Federal Government departments and agencies. Any Food and Drug Administration (FDA) record otherwise exempt from public disclosure may be disclosed to other Federal Government departments and agencies, except for the trade secret and confidential commercial or financial information prohibited from disclosure by 21 U.S.C. 331(j), 21 U.S.C. 360j(c), 21 U.S.C. 360ll(d), 21 U.S.C. 360nn(e), and 21 U.S.C. 387f(c) which may be released only as provided by those sections.
V. General Provisions
1. Resource Obligations. This MOU represents the broad outline of the Parties’ intention to collaborate in areas of mutual interest. All activities that may be undertaken by this MOU are subject to the availability of personnel, resources, and funds. This MOU does not affect or supersede any existing or future understandings or arrangements between the Parties and does not affect the ability of the Parties to enter into other understandings or arrangements related to this MOU. This MOU does not create binding, enforceable obligations against any Party. This MOU and all associated agreements will be subject to the applicable policies, rules, regulations, and statutes under which FDA and VHA operate.
VI. Disclosure of Information
1. Access to the confidential and non-public information shared under this MOU shall be restricted to authorized FDA and VHA employees, agents, and officials who require access to perform their official duties in accordance with the uses of the information as authorized in this MOU and any such non-public information is shared by FDA pursuant to 21 C.F.R. 20.85. Such personnel shall be advised of (1) the confidential nature of the information; (2) safeguards against the unauthorized disclosure of confidential information, and (3) the administrative and civil penalties contained in applicable Federal laws for the unauthorized disclosure of confidential information. Such personnel shall be individually required, prior to receiving any such information, to sign the Confidentiality Commitment form as attached in Appendix A of this MOU.
2. If a Party wishes to use the information provided by the other Party under this MOU for any purpose other than those outlined above, the requesting Party shall make a written request to the other Party describing the additional purposes for which it seeks to use the information. If the Party receiving this request determines that the request to use the information provided hereunder is acceptable, it shall provide the requesting Party with written approval of the additional use of the information.
3. Pursuant to sections 301(j) and 520(c) of the FD&C Act (21 U.S.C. § 331(j) and 360j(c)), FDA will not reveal to VHA any information entitled to protection as non- public information relating to devices obtained by FDA under sections 513, 514, 515, 516, 518, 519, 520(f), 520(g), or 704 of the FD&C Act (21 U.S.C. 360c, 360d, 360e, 360f, 360h, 360i, 360j(f), 360j(g), 374), unless there is in place a written authorization, from the owner of that information, that permits FDA to reveal such information to representatives of agencies that are not in the Department of Health and Human Services.
4. Proper safeguards shall include the adoption of policies and procedures to ensure that the information shared under this MOU shall be used consistent with the Trade Secrets Act [18 U.S.C. § 1905], the Federal Food, Drug, and Cosmetic Act (FDCA) [21 U.S.C. 301 et seq.], the Privacy Act of 1974, as amended [5 U.S.C. § 552a], the Freedom of Information Act [5 U.S.C. § 552], any other applicable Federal law and their implanting regulations. Pursuant to FDCA section 301(j) [21 U.S.C. § 331(j)], FDA will not reveal to VHA any method or process which is entitled to protection as a trade secret.
5. Confidential or nonpublic information includes but is not limited to: (1) confidential commercial information, such as the information that would be protected from public disclosure pursuant to Exemption 4 of the Freedom of Information Act (FOIA); (2) personal privacy information, such as the information that would be protected from public disclosure pursuant to Exemption 6 or 7(c) of the FOIA; or (3) information that is otherwise protected from public disclosure by Federal statues and their implementing regulations (e.g. Trade Secrets Act (18 U.S.C. 1905)), the Privacy Act (5 USC 552a), other Freedom of Information Act exemptions not mentioned above (5 USC 552(v)), the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.), and the Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191).
6. If a Freedom of Information Act (FOIA) request is received for any shared information, the Receiving Participant will: (a) if the request implicates documents from the Sharing Participant in their original form, refer the request to the Sharing Participant for that Participant to respond directly to the requester, and notify the FOIA requester of the referral and that a response will issue directly from the Sharing Participant regarding the releasability of the information; and (b) if the request implicates documents authored by the Receiving Participant that incorporates information from shared documents, consult with the Sharing Participant about how to respond to the FOIA request. The Receiving Participant will not indicate to the FOIA requester whether the Sharing Participant has responsive or releasable records. All actions taken under this paragraph must be in compliance with 45 C.F.R. 5.25.
7. When an Authorized Contact Person requests information, documents, or data, the request should be made in writing, which may include email, and contain all substantive requirements of 21 C.F.R. § 20.85 which includes the following language:
Information is being requested pursuant to Memorandum of Understanding 225-25-002. We agree not to disclose any shared information in any manner without your written permission or, if such disclosure is required by law, without advance notice to the originating agency.
By including this statement, requestors do not have to use a particular format or include other pre-specified text. Additionally, information can be requested using the 20.85 Model Request Letter (Appendix B).
VI. Liaison Officers:
A. For the VHA
Megan Friel, M.S., CCE
Biomedical Engineer, Director
Office of Healthcare Technology Management (HTM)
VA Central Office
810 Vermont Avenue
Washington, D.C. 20420
(202) 384-3987
Megan.friel@va.gov
Or
Connor Walsh, CISSP
Biomedical Engineer, Medical Device Networking & Cybersecurity
Office of Healthcare Technology Management (HTM)
VA Central Office
810 Vermont Avenue
Washington, D.C. 20420
(857) 329-2818
Connor.walsh@va.gov
B. For the Food and Drug Administration
Nastassia Tamari, M.S.
Associate Director
Division of Medical Device Cybersecurity
Office of Readiness and Response
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue
Silver Spring, MD 20903
(240) 687-0904
nastassia.tamari@fda.hhs.gov
Or
Jessica Wilkerson, J.D.
Senior Cyber Policy Advisor and Medical Device Cybersecurity Team Lead
Division of Medical Device Cybersecurity
Office of Readiness and Response
Office of Strategic Partnerships and Technology Innovation
Center for Devices and Radiological Health
Food and Drug Administration
10903 New Hampshire Avenue Silver Spring, MD 20903
(240) 401-8691
jessica.wilkerson@fda.hhs.gov
Each Party may designate new liaisons at any time by notifying the other Party’s administrative liaison in writing. If, at any time, an individual designated as a liaison under this MOU becomes unavailable to fulfill those functions, the Parties will name a new liaison within two (2) weeks and notify the other Party through the designated administrative liaison.
VII. Term, Termination. and Modification:
This MOU, when accepted by all participating Parties, will have an effective period of performance of five (5) years from the date of the latest signature and may be modified or terminated by mutual written consent by both Parties or may be terminated by either Party upon a thirty (30) day advance written notice to the other.
Authorized Signatures
Approved and Accepted For
Veterans Health Administration
By:
/s/
Alfred Montoya
Deputy Assistant Under Secretary for Health for Operations
Office of the Deputy Under Secretary for Health
Date: 10/29/2024
Approved and Accepted For
U.S. Food and Drug Administration
Center for Devices and Radiological Health
By:
/s/
Michelle Tarver, M.D., Ph.D.
Acting Center Director
Center for Devices and Radiological Health
Date: 11/01/2024
APPENDIX A
CONFIDENTIALITY COMMITMENT
The Veterans Health Administration (“VHA”) and the U.S. Food and Drug
Administration (“FDA”) frequently coordinate interagency efforts and are responsible for inter alia, researching, setting, and enforcing standards and regulations to enable safe and effective medical device use in the United States. As part of participation in meetings, discussions, or other communications, I understand that I may be exposed to information that is non-public information or pre-decisional or deliberative information that has been provided to, or belongs to, an agency or department that is a member of the collaborative group.
I, on this _ day of _ , 20__, hereby agree that
I shall not release, publish, or disclose such information, including disclosure in publications and public meetings, and I shall protect such information in accordance with all applicable laws relating to my receipt of non-public information in connection with my participation in VHA/FDA activities, and that I may be subject to disciplinary action and, in some cases, administrative, civil, and/or criminal penalties as prescribed by law for unlawful disclosure of such information. I shall use such information in accordance with my official duties and shall share such information only with individuals who either (1) are employed by, or a contractor of, the originating government agency that provided the information to me or to my agency and are authorized to have access to the information by virtue of their duties; or (2) are employed by, or a contactor of, a collaborating agency and have themselves signed a Confidentiality Commitment.
Signature: _
Date: _
Type or Print Name: _
Agency: _
Supervisor Signature (if applicable): _
Date: _
Type or Print Supervisor Name: _
APPENDIX B
20.85 Model Request Letter
VHA LETTERHEAD *Please copy and paste onto your agency’s letterhead.
Attn: Information Sharing Specialist
Division of Information Disclosure
Office of Disclosure, Information Governance, and Accessibility
Office of Management and Enterprises, Office of the Commissioner
Food and Drug Administration
FDAInfoShare@fda.hhs.gov
Dear Information Sharing Specialist,
The Veterans Health Administration requests access to the following non-public information, pursuant to MOU 225-25-002, Request: [list the type of records/information requested, including the firm and/or product name and the relevant timeframe] pursuant to 21 C.F.R. § 20.85.
*(Requests for all documents, or all communications relating to a product/firm, is usually overly broad and can result in processing delays).
I certify that the activity is authorized by law, that the records or information will be used only for the stated purpose and will not be disclosed outside VHA without the prior written permission of the Food and Drug Administration. I also certify that disclosure within VHA will be limited to the specific purpose stated above, and that I will provide a copy of this letter to any person(s) with whom I share the non-public information.
I understand that 21 U.S.C. § 331 of the Federal Food, Drug, and Cosmetic Act prohibits disclosure of trade secret information outside the Department of Health and Human Services. If you have any questions, please contact [Provide your name and email (additional contact information)].
Sincerely,
YOUR SIGNATURE LINE
cc: RECOMMEND INSERTING NAME OF YOUR FDA CONTACT, IF ANY.
In an emergency, if submitting electronically or by written request or response is not feasible, this information may be conveyed orally consistent with all other terms of the MOU.
In cases where a Party to this MOU needs to obtain certain information as soon as possible due to emergency circumstances, such as an outbreak of an illness, or if required by law, the Requesting Party shall so indicate orally or through other informal means of communication to the other Party. The Requesting Party shall agree to protect any such information from unauthorized disclosure. In the case of emergency circumstances or if required by law, as soon as is practicable, the Parties to this MOU shall document their sharing of any non-public information.