Medical devices are one of the biggest pain points in healthcare cybersecurity, and Congress and the Food and Drug Administration took steps to close that gap this week – Congress with a bill and the FDA with new draft guidelines for device makers on how they should build devices less susceptible to hacking.
Devices such as infusion pumps or internet-connected imaging machines can be targets of hacks. These attacks can siphon off patient data or directly put patient security at risk. Experts constantly find that the devices used today have vulnerabilities that could be exploited by hackers.
The FDA, which regulates medical devices, has been trying to get this problem under control for some time. In 2014, he published guidance for medical device makers that explained how they should incorporate cybersecurity before asking the agency to license their products. The agency then published a draft guideline in 2018. This new draft supersedes the 2018 version and is based on feedback from manufacturers and other experts and changes in the medical device environment over the past few years, Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA, told The edge.
The new document is still just a draft, and device makers won’t start using it until it’s finalized after another round of comments. But it does include some significant changes from the last go-around – including a focus on the entire lifecycle of a device and a recommendation for manufacturers to include a Software Bill of Materials (SBOM) with all new products. which gives users information about the different elements that make up a device. An SBOM makes it easier for users to keep tabs on their devices. If a bug or vulnerability is found in software, for example, a hospital could easily check to see if their infusion pumps are using that specific software.
The FDA has also introduced medical device cybersecurity legislative proposals, asking Congress for more explicit power to make requirements. “The intention is to enable devices to be much more resilient to withstand the potential for cyber exploits or intrusions,” says Schwartz. Manufacturers should be able to update or fix software issues without affecting the operation of devices, she says.
The FDA’s efforts dovetail with a bill introduced in Congress this week, the Protecting and Transforming Cyber Health Care (PATCH) Act, which would codify some of the FDA’s proposals. The bill would require device makers to have a plan to address any cybersecurity issues with their devices and would require an SBOM for new devices. If the bill passes, these items will become requirements rather than just FDA-recommended guidelines.
“It would give us extra teeth,” says Schwartz. “This really, for the first time, would establish, very explicitly, authority in the area of cybersecurity and tie it directly to medical device security.”
Notably, these new recommendations and legislation would apply primarily to new devices entering the market – they do not cover the millions of medical devices already in use in the United States. The FDA has guidelines, drafted in 2016, that outline how device makers should keep tabs on potential cybersecurity issues in their existing devices already on the market. Schwartz says the FDA has no active plans to update these guidelines, but it’s something the agency would consider.
The goal of the new draft guidelines and the FDA’s push for device cybersecurity legislation is to ensure that new devices that come online are in better condition than those that have been on the market and have existing cybersecurity issues. “We want the devices of tomorrow to not have the same legacy issues that we face today,” she says.