Medical devices are a major weakness in healthcare cybersecurity, and both Congress and the Food and Drug Administration took steps this week to close that gap — Congress with a bill and the FDA with new draft guidelines for device makers on how to need to build devices that are less likely to be hacked.
Devices such as infusion pumps or imaging machines connected to the internet can be targets of hacks. Those attacks can siphon patient data or directly jeopardize their security. Experts consistently find that devices in use today have vulnerabilities that can be exploited by hackers.
The FDA, which regulates medical devices, has been trying to get a handle on this issue for some time now. In 2014, it released guidelines for medical device manufacturers outlining how to integrate cybersecurity before asking the agency to clear their products. The agency subsequently issued a draft guideline in 2018. This new concept replaces the 2018 version and is based on feedback from manufacturers and other experts and changes in the medical device environment in recent years, Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships and Technology Innovation, told The edge†
The new document is still just a draft and device manufacturers won’t start using it until it’s finalized after another round of feedback. But it includes a few significant changes from the last relaunch — including an emphasis on the entire lifecycle of a device and a recommendation that manufacturers include a Software Bill of Materials (SBOM) listing all new products that provide users with information about the various elements. that make up a device. An SBOM makes it easier for users to keep an eye on their devices. For example, if a bug or vulnerability is found in a piece of software, a hospital can easily verify that their IV pumps use that specific software.
The FDA has also released legislative proposals around the cybersecurity of medical devices, asking Congress for more explicit powers to make demands. “The intent is to make devices that much more resilient to withstand the potential for cyberattacks or intrusion,” says Schwartz. Manufacturers should be able to update or patch software issues without harming the function of the devices, she says.
FDA’s efforts align with bill introduced in Congress this week, the Protecting and Transforming Cyber Health Care (PATCH) Act, which would codify some of the FDA’s proposals. The bill requires device manufacturers to have a plan to address any cybersecurity issues with their devices, and require an SBOM for new devices. If the bill is passed, those elements will become requirements rather than just recommended guidelines from the FDA.
“This would give us extra teeth,” Schwartz says. “This would really, for the first time, establish authority very explicitly on cybersecurity and link that directly to the safety of medical devices.”
These new recommendations and legislation would particularly apply to new devices entering the market — they don’t cover the millions of medical devices already in use in the United States. The FDA has guidelines, written in 2016, that describe how device manufacturers should monitor potential cybersecurity vulnerabilities in their existing devices already on the market. Schwartz says the FDA has no active plans to update those guidelines, but it’s something the agency would consider.
The focus of the new design guidelines and the FDA’s drive to legislate around cybersecurity of devices is to ensure that new devices that come online are in better condition than those that have been on the market with existing cybersecurity vulnerabilities. “We want tomorrow’s devices not to have the same legacy issues that we face today,” she says.