The Urgent Call for Stringent Federal Mandates on Medical-Device Cybersecurity

New FDA Regulations Require Stronger Cybersecurity Measures for Medical Devices

Introduction

On October 1, the US Food and Drug Administration (FDA) will end the grace period for compliance with new cybersecurity regulations for medical device makers. These regulations, which were implemented in March, require manufacturers to submit plans for monitoring and patching post-market cybersecurity vulnerabilities, have secure design and development processes in place, and provide a software bill of materials (SBOM) to the FDA. Failure to meet these requirements could result in the rejection of devices deemed to pose significant cyber risks. The FDA’s focus on medical device cybersecurity is in response to the passage of an omnibus appropriations act in December 2022, which mandates that manufacturers submit cybersecurity information to the FDA. The FDA has been granted broad authority to interpret and enforce compliance with these regulations.

The Need for Improved Cybersecurity in Medical Devices

Cybersecurity concerns have plagued the medical device industry for over a decade. In 2011, a demonstration of hacking into an insulin pump exposed the vulnerabilities of such devices. Major ransomware attacks targeting hospitals have further highlighted the weaknesses in the system, with the US Department of Health and Human Services estimating that delayed response times and patient triage due to cyber attacks resulted in additional deaths. Despite these risks, medical device manufacturers have been slow to implement cybersecurity measures. In 2022, only 27% of manufacturers maintained an SBOM, and less than half utilized common countermeasures such as binary code analysis.

Impact of FDA’s Regulations

The FDA’s regulations have the potential to drive significant change in the medical device industry. By requiring manufacturers to address vulnerabilities and plan for cyber attacks, these regulations aim to protect patients and prevent disruptions to healthcare delivery. However, there are concerns about the effectiveness and enforcement of these measures.

The Need for Clearer Accountability

While the regulations provide a necessary first step towards improving cybersecurity, they lack specificity regarding how manufacturers will be held accountable and the penalties for non-compliance. Cybersecurity experts argue for the creation of an industry board that can establish best practices and standards for securing medical devices. Similar to engineers building bridges who follow prescribed standards and codes, medical device manufacturers should be held liable if they fail to meet cybersecurity requirements. The current vagueness of the regulations leaves room for minimal compliance efforts, rendering them inadequate in addressing the magnitude of the cybersecurity challenge.

Addressing Legacy Devices

Another significant concern is that the regulations do not address the issue of legacy devices, which are often the most vulnerable to cyber attacks. Many of these devices are outdated and lack the necessary security measures to withstand modern threats. The regulations, while a step in the right direction, focus primarily on new devices, leaving the existing devices vulnerable to potential breaches. It is crucial to develop strategies to address the security gaps in legacy devices and protect patient safety.

Conclusion

The FDA’s new cybersecurity regulations for medical devices mark an important milestone in addressing the significant threats posed by cyber attacks in healthcare. By establishing requirements for monitoring and patching vulnerabilities, as well as secure design and development processes, the regulations force manufacturers to prioritize cybersecurity. However, the regulations could benefit from clearer accountability measures and inclusion of legacy devices. Going forward, it will be crucial for manufacturers, the FDA, and industry experts to collaborate and continue to evolve cybersecurity practices in order to safeguard medical devices and ultimately protect patient lives.