The Food and Drug Administration (FDA) this week put into effect fresh guidance concerning the cybersecurity of medical devices — long a concerning area of risk for healthcare organizations and patients alike. The policy is one in a long line of attempts by the FDA to put some guardrails around the susceptibility of things like insulin pumps and heart monitors to hacking, and experts say that this time, the FDA's move might actually make a difference.
Effective immediately, medical device manufacturers are advised to submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits."
Manufacturers are also asked to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes making patches available "on a reasonably justified regular cycle," and for newfound critical vulnerabilities, "as soon as possible out of cycle."
And finally, the FDA is asking that new devices come prepared with a software bill of materials (SBOM).
For some, FDA guidance may evoke memories of prior actions that failed to improve cybersecurity in this critical area in any real way. But experts say this long road has finally reached a real, genuine inflection point. Starting now, new medical devices that don't meet these standards will be blocked from the market.
"It's actually been a process that's taken place over approximately the last 10 years," says Cybellum CMO David Leichner. "And it came to fruition two days ago."
Medical Devices in Cyber-Crisis
Medical device security has been an alarmingly lagging area for cybersecurity for a very long time, and there's a laundry list of reasons why. Healthcare facilities often use legacy IT and have flat networks that aren't segmented, for instance — even as medical devices for patients are increasingly connected. And security by design isn't common.
"A medical device manufacturer may be very experienced in designing highly reliable and innovative devices, but they may not necessarily be security experts," explains Axel Wirth, chief security strategist at MedCrypt.
In fact, the most cutting-edge medical equipment sometimes introduces new security problems that the old stuff never had. Internet connectivity brings a slew of benefits to providers, but also opportunities for hackers. In the State of Healthcare IoT Device Security 2022 report, healthcare IoT firm Cynerio found that more than half of all connected medical devices are vulnerable, including, for example, nearly three out of every four IV pumps.
Thus, cybercriminals can easily break in and run rampant across a hospital network, reaching whatever endpoints they choose, including these life-saving devices. This could have potential physical consequences for patients if a device is vulnerable to takeover by an unauthorized user. The risk isn't theoretical: A September 2022 report by Proofpoint's Ponemon Institute linked a 20% increase in mortality rates to cyberattacks targeting healthcare organizations.
This is all exacerbated by the fact that when bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely manner (as is the case for most IoT gear), and healthcare settings have an even more terrible track record of implementing them.
"One reason [for the insecurity] is that these devices live longer," Wirth points out. Because they're designed to last a while — which is otherwise a positive thing — "they may be outdated or running outdated software, and any operational technology (OT) that is not necessarily up to date is more difficult to maintain. It's more difficult to deploy patches; it's more difficult to find time during hospital operations to update the device."
Considering the ubiquity of security failures in the industry, coupled with the massive consequences at stake in the event of a breach, many have urged the government to do more than offer "suggestions" for addressing the problems.
The FDA's New Teeth
On Dec. 29, President Biden signed into law the Consolidated Appropriations Act, also known as the Omnibus bill, which included Section 3305 — "Ensuring cybersecurity of medical devices" — an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect on Thursday, 90 days after the Omnibus' passing.
So what happens now? It takes time for manufacturers to change their processes and for new products to integrate new rules and regulations (to say nothing of how healthcare, in general, moves more slowly than other industries, by necessity). The FDA has arranged for a six-month window — until Oct. 1 — for manufacturers to get used to the new rules of the road.
From now until then, the FDA will "work collaboratively" with manufacturers to ensure compliance, the agency clarified in an accompanying notice. Once Oct. 1 hits, "FDA expects that sponsors of such cyber devices will have had sufficient time to prepare." At that point, they will begin issuing "refuse to accept" (RTA) decisions to prevent any devices that don't meet the stated standards from reaching the market.
"Manufacturers are asking: 'When does this hit us?,'" Naomi Schwartz, MedCrypt's senior director of cybersecurity quality and safety, explains. "And the FDA is clarifying: 'We're not going to start refusing to accept until October, so that you have time to update all of your documentation and relieve a little bit of pressure and fear. But no kidding, you guys better get your stuff ready in the next six months, because it's coming.'"
What remains to be seen is how the FDA will enforce its rules after a device is released to the public. Preventing a machine from reaching hospitals is one thing, but ensuring that vendors meet so many of the other requirements outlined in these guidelines — like regular monitoring, consistent patching, and responsible vulnerability disclosure — requires never-ending oversight.
"This is definitely going to increase the overhead of the FDA," Cybellum's Leichner figures. "It'll be interesting to see how they go about this."
The Timeline for Real, Visible Change
Even once manufacturers start turning out gear that's in compliance with the policy, an overhaul of healthcare device cybersecurity will take a while.
"Medical devices can be very pricey," Wirth points out, "and replacing medical devices in hospitals requires budget, requires training. Sometimes it requires even changes in building and infrastructure. So it'll take a number of years." Section 3305 assigns no deadline for healthcare providers to replace their existing legacy equipment.
Still, he says, "I think we are already seeing better secure devices arrive in the market," especially since the US isn't the only place to start demanding security hardening of the devices.
Even though the FDA's policy might take a while to bear real fruit (and it's too soon to know for certain), we may look back on 2023 as a watershed for the industry.
"This is going to help FDA staff, it's going to help the industry, it's going to motivate people to stop kicking the can down the road and start buckling down now," MedCrypt’s Schwartz concludes. "It's pretty cool."