Updated October 26, 2024
The development and management of medical device security has become very complex. The Food and Drug Administration (FDA) regulates over 190,000 different devices. With risk and vulnerabilities on the rise, the FDA issued new guidance in 2023, requiring manufacturers to deliver cybersecurity rules and protocols in the premarket submission.
Since then, various stakeholder groups and cybersecurity experts have offered advice and guidance. Earlier this year, the Healthcare and Public Health Sector Coordinating Council (HSCC) issued its recommendations on healthcare and manufacturers working together to reduce risk and bolster security.
There are some practical and insightful takeaways from the HSCC guide.
Security Across the Lifecycle of the Device
As with any technology, medical devices have a lifecycle that begins at development and ends with sunsetting. A lot can happen during this time: new risks emerge, features evolve, and functionality expands.
Manufacturers and providers must look at cybersecurity from this lens. Ideally, the device is secure by design, but that doesn’t mean there isn’t risk. Devices often contain many different software components, and vulnerabilities can arise from any of these. Once connected to a network, new threats emerge.
The guidance also includes preparing for end-of-life (EOL) or end-of-life support (EOS) for devices. Pre-planning by the manufacturer and sharing with users can be very useful. Failure to do so could jeopardize security. An example is that operating system updates cease, so the most current version isn’t pushed out.
Patient Notifications Regarding Device Updates
Many medical devices work outside care settings. They are a daily part of a patient’s life and must be connected. The FDA guidance outlines the need for patching and updating plans after devices are in use. It doesn’t specifically include patient notifications.
The HSCC security plan notes that this is an integral part of the process. They call out the need for notifications about updates, whether they need to take action or not. Most updates would happen automatically from the manufacturer. However, there can be failures here, so getting patients to be part of the cybersecurity ecosystem could mitigate risk.
Balancing User Needs with Security
The HSCC also emphasizes the need to balance user needs with medical device security. It’s the same story for any piece of technology. Security is paramount, but it shouldn’t impede usability.
This is another chance for collaboration between providers and manufacturers. Those developing devices need to understand real-world use cases and make careful decisions about security controls.
The organization recommends a security design risk assessment as a starting point. Manufacturers should tap medical device cybersecurity experts to support this initiative. With their objective perspective and expertise, they can help:
- Identify design risks
- Evaluate the impact of such risks
- Determine if the risk is acceptable or something that needs further analysis
Prioritizing Supply Chain Risk Management
As part of the new FDA rules, manufacturers must submit a software bill of materials (SBOM). It must encompass any code, binaries, and dependencies. It offers visibility into what makes the device work.
Taking the SBOM a step further would include specific criteria in managing this through supply chain risk management. Any included software has a risk of being a weakness, and developers use a lot of open-source code. Performing iterative testing of any integrated components, whether third-party or internally developed, offers a means to control supply chain risk.
Medical Device Security: Guidance into Practical Actions
With this new plan for medical device security and the FDA’s update, manufacturers have many resources to build a program. However, it’s complicated and always changing, which is why organizations need a trusted partner. You can find that with our team. We specialize in medical device security and supporting premarket submission.
Learn more by contacting us today.
