For six months, medical device makers have had to comply with new cybersecurity regulations aimed at hardening medical devices against cyber attacks, but the US Food and Drug Administration has largely refrained from using its “refuse to accept” power up to now.
On Oct. 1, the FDA’s grace period — during which the agency stated it would try not to use its ability to reject medical devices that lack appropriate cybersecurity controls and a post-market patching capability — will end. The manufacturers of medical cyber devices must now submit plans to monitor and patch post-market cybersecurity vulnerabilities, have a process in place for the secure design and development of devices, and provide a software bill of materials (SBOM) to the FDA. Those who do not satisfy the requirements could have their devices rejected on the grounds that they pose too great a cyber risk.
The agency’s focus on medical-device cybersecurity stems from Congressional passage of an omnibus appropriations act in December 2022 that included a section, “Ensuring Cybersecurity of Medical Devices,” requiring medical-device manufacturers submit cybersecurity information to the FDA regarding any cyber device. The powers granted to the FDA, which went into effect in March, could go a long way toward forcing the makers of medical devices to consider and plan for vulnerabilities and cyberattacks, says Ty Greenhalgh, industry principal for healthcare at Claroty, an IoT security firm.
“This legislation addresses specifically that you have to do something about patching and updating on the new devices, and how are you going to get patches and updates out over the lifecycle in a reasonable time,” he says. “The way this is set up, it’s given broad authority for interpretation to the FDA on what it takes to get medical devices cyber-secure and what are the penalties, if you are not compliant with their interpretation.”
Medical devices have concerned cybersecurity experts for more than a decade, with a demonstration of the ability to hack an insulin pump stripping away many illusions of security in 2011. Major ransomware attacks on hospitals have laid bare the weaknesses and consequences, with the US Department of Health and Human Services estimating that slowed response times and patient triage led to as many as 36 more deaths per 10,000 heart attacks.
Yet medical devices manufacturers have been slow to change. In 2022, only about a quarter of manufacturers (27%) maintained an SBOM, while less than half (47%) took even the most common countermeasure: Binary code analysis.
The FDA, which allocated $5 million of its budget to medical device cybersecurity, could change that.
“Cybersecurity exploits are one of the most substantial threats faced by this nation, and the impact is particularly harmful for our health care system, where vulnerabilities could compromise entire hospital systems or disrupt manufacturing of countless devices if they are impacted,” the FDA stated in its annual appropriations estimate. “Ultimately, these threats are of national security concern because if they go unchecked, they could cripple healthcare delivery.”
Ensuring Cybersecurity of Medical Devices
The US Food and Drug Administration has pushed for more cybersecurity in medical devices for more than a decade, outlining cybersecurity best practices for network medical devices in 2005 and publishing draft guidance to manufacturers in 2016. Cyber devices are defined as those with software, an ability to connect to the Internet, or having a technical component that could be vulnerable to cybersecurity threats.
Putting these new requirements into law is a first step, but is far from being an answer in and of itself, says David Brumley, a cybersecurity professor at Carnegie Mellon and CEO of software security firm ForAllSecure.
“We’re building a muscle at this point, and that muscle isn’t gonna allow us to lift this open-source [security] weight yet. But if we don’t start building this muscle we won’t be able to in 20 years,” he says. “I just wish that they took it a step further, to say how they’re going to hold people responsible, and what powers they have to hold people responsible.”
Not Detailed Enough to Help
While the government has correctly avoided prescribing technological measures in law due to rapidly changing technology, the legislation could have created a board of experts to determine the best practices for securing medical devices, says Brumley.
“If you don’t want the government dictating exactly how you should do things, because that can be slow and bureaucratic, then you should have an industry board that says what [the best practices] are for a practitioner,” he says. Brumley points out engineers building bridges have industry- and government-prescribed standards and codes to follow for due diligence, and could be found negligent if they don’t follow them. “These requirements are so vague that you could do basically nothing, other than maybe running an SCA (software component analysis) scan, and you would satisfy the legislation.”
In addition, the law does not have a component that addresses the legacy devices out there, which are among the most vulnerable, some of which are 15 years old, adds Claroty’s Greenhalgh.
“This legislation is designed to start addressing the problem, but even if you are plugging the hole in the boat … it’s not really clear in the legislation what are you going to do about the legacy devices,” he says.
The FDA has significant resources on cybersecurity in medical devices, including an incident response playbook, a threat-modeling guide, and a best practices document for communicating cybersecurity vulnerabilities to patients.