The Food and Drug Administration (FDA) this week issued new guidance on medical device cybersecurity. This is a risk area that has long been a concern for both healthcare providers and patients. The policy is one of the FDA’s long-running attempts to put guardrails on things like insulin pumps and heart monitors that are vulnerable to hacking.
Medical device manufacturers are advised to immediately submit “plans to monitor, identify and address post-market cybersecurity vulnerabilities and exploits within a reasonable time frame.”
Manufacturers are also required to “design, develop, and maintain processes and procedures to reasonably ensure that devices and related systems are cybersecured.” This includes making patches available “on a reasonably justified regular cycle” and for newly discovered critical vulnerabilities “as soon as possible out of cycle”. includes doing.
And finally, the FDA requires new devices to have a software bill of materials (SBOM).
For some, the FDA’s guidance may evoke memories of previous actions that failed to actually improve cybersecurity in this important area. But experts say the long journey has finally reached a true inflection point. Going forward, new medical devices that do not meet these standards will be blocked from the market.
Cybellum CMO David Leichner said: “And it happened two days ago.”
Medical devices in cyber crisis
Medical device security has been a surprisingly lagging field for cybersecurity for a very long time, and there are many reasons why. Healthcare facilities often use traditional IT, for example, flat, non-segmented networks, even though medical devices for patients are increasingly connected. Also, security by design is not common.
Axel Wirth, Chief Security Strategist at MedCrypt, explains:
In fact, state-of-the-art medical equipment can introduce new security issues that older equipment did not. Internet connectivity offers many benefits for providers, but it also presents opportunities for hackers. In its State of Healthcare IoT Device Security 2022 report, healthcare IoT company Cynerio found that more than half of all connected medical devices are vulnerable. For example, he has four IV pumps and he has nearly three.
Therefore, cybercriminals can easily infiltrate and spread throughout a hospital network to reach endpoints of their choice, including these life-saving devices. Devices vulnerable to takeover by unauthorized users If so, this could have potential physical consequences for the patient. Risk is not theoretical. His September 2022 report by Proofpoint’s Ponemon Institute linked his 20% increase in mortality to cyberattacks targeting health care facilities.
When bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely fashion (as is the case with most IoT equipment), and an even worse track record of implementation in healthcare settings. All this is made worse by the fact that they.
“One reason [for the insecurity] Wirth points out: This is a good thing because the device is designed to last. The latest is more difficult to maintain. Deploying patches is more difficult. Finding time to update devices during hospital operations is more difficult. ”
Given the ubiquity of security failures in the industry and the serious consequences should a breach occur, many urge governments to do more than offer “suggestions” to address the problem. I am looking for
FDA new tooth
On December 29, President Biden signed into law the Consolidated Budget Act, also known as the Block Appropriations Act, which includes Section 3305, “Ensuring Cybersecurity of Medical Devices,” an amendment to the Federal Food, Drug, and Cosmetic Act. This went into effect Thursday, 90 days after he passed through the omnibus.
So what happens now? It takes time for manufacturers to change processes and new products to integrate new rules and regulations (not to mention that healthcare in general is necessarily slower moving than other industries). The FDA has given manufacturers a six-month grace period through October 1 to acclimate them to the new traffic rules.
From now until then, the FDA will “work with” manufacturers to ensure compliance, the FDA said in an accompanying notice. We hope that our sponsors will have enough time to prepare.” At that point, they will begin issuing “refuse to accept” (RTA) decisions, indicating that devices that do not meet the prescribed standards will Prevent it from going to market.
Naomi Schwartz, senior director of cybersecurity quality and safety at MedCrypt, explains: “And the FDA has made it clear: ‘We don’t plan to start denying approvals until October, so there’s time to update all the documents and take some of the pressure and fear away. But we’re kidding. No. Yours will be ready in the next 6 months because it’s coming.
It remains to be seen how the FDA will enforce that rule once the device is released to the public. Preventing machines from reaching hospitals is one thing, but there are many other requirements outlined in these guidelines, such as regular monitoring, consistent patching, and responsible vulnerability disclosure, that vendors must adhere to. Continuous monitoring is required to ensure that it is met.
“This will definitely increase FDA overhead,” Cybellum’s Leichner calculates. “It will be interesting to see how they go about this.”
A timeline of real and visible change
Medical device cybersecurity overhauls will take some time, even as manufacturers begin to produce policy-compliant devices.
“Medical equipment can be very expensive, and replacing medical equipment in a hospital requires budget, requires training, and may require changes to buildings and infrastructure. It will take years.” Section 3305 does not set a deadline for providers to replace existing legacy equipment.
Still, he says, “I think there are more secure devices on the market.” The United States isn’t the only country to start demanding increased security for its devices.
While it may be a while (and it’s too early to know for sure) for the FDA’s policy to really bear fruit, we may look back on 2023 as a watershed moment for the industry.
MedCrypt’s Schwartz concludes, “This will help FDA staff and industry. People will go off the rails and sit down now.” “It’s so cool.”