Medical devices are a major pain point in healthcare cybersecurity, and both Congress and the Food and Drug Administration took steps this week to close the gap — Congress with a proposed law and the FDA with new draft guidelines for device manufacturers, such as they should build devices that are less likely to be hacked.
Internet-connected devices such as infusion pumps or imaging equipment can be targets for hacks. These attacks can steal patient data or directly compromise their security. Experts keep finding that devices used today have vulnerabilities that could be exploited by hackers.
The FDA, which regulates medical devices, has been trying to get a handle on this problem for some time. Back in 2014, it issued guidance for medical device manufacturers detailing how they should integrate cybersecurity before asking the agency to approve their products. The Agency then released a draft policy in 2018. This new draft replaces the 2018 version and is based on feedback from manufacturers and other experts, as well as changes in the medical device landscape over the past few years, Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships and Technology Innovation, told The Verge.
The new document is still only a draft, and device makers will not use it until it’s finalized after another round of feedback. But it includes some significant changes from the last iteration – including an emphasis on the entire lifecycle of a device and a recommendation that manufacturers include a software bill of materials (SBOM) with all new products, giving users information about the various elements that make up a device . A SBOM makes it easier for users to keep track of their devices. For example, if a bug or vulnerability is found in a piece of software, a hospital can easily verify that its infusion pumps are using that particular software.
The FDA also introduced legislative proposals on medical device cybersecurity and asked Congress to be given more explicit powers to set requirements. “The intention is to make devices so much more resilient that they can withstand potential cyber exploits or intrusions,” says Schwartz. Manufacturers should be able to update or patch software issues without affecting device functionality, she says.
The FDA’s effort aligns with a bill introduced in Congress this week, the Protecting and Transforming Cyber Health Care (PATCH) Act, that would codify some of the FDA’s proposals. The bill would require device manufacturers to have a plan to fix cybersecurity issues with their devices and require an SBOM for new devices. If the law is passed, these elements will become requirements, not just recommended guidelines, by the FDA.
“That would give us extra teeth”
“That would give us extra teeth,” Schwartz says. “This would really be the first time that we have a very explicit authority on cybersecurity and tie it directly to medical device security.”
Specifically, these new recommendations and legislation would primarily apply to new devices entering the market – they do not cover the millions of medical devices already in use in the United States. The FDA has guidelines written in 2016 that describe how device manufacturers should be aware of potential cybersecurity issues in their devices already on the market. Schwartz says the FDA has no active plans to update these guidelines, but the agency would consider doing so.
The focus of the new draft guidelines and FDA’s push for device cybersecurity legislation is to ensure that new devices coming online are in better shape than those on the market that have existing cybersecurity issues. “We don’t want tomorrow’s devices to have the legacy legacy we’re dealing with today,” she says.