Healthcare and technology can work together to benefit patients and those who care for them. One of the most exciting innovations to come to fruition is medical devices. It’s a rapidly evolving part of healthcare technology, with a variety of products changing the face of healthcare delivery, chronic disease management, surgery, and diagnosis. While there’s much to celebrate here, there is also risk. Medical device security has become a hot topic as the number of connected medical devices grows.
As a result of the industry taking off and the inherent security vulnerabilities, stakeholders are attempting to imagine the future of medical device security. The Food and Drug Administration (FDA) recently passed new rules for the category, with new burdens placed on manufacturers. HDOs (Healthcare Delivery Organizations) also have responsibilities relating to medical device cybersecurity.
Let’s review the new FDA rules and what you can expect in the short and long term for medical device security.
New FDA Law on Medical Devices Includes Cybersecurity Standards
Cybersecurity risks are a critical component of medical devices. There are concerns that a breach could expose sensitive health information. An even bigger threat may be the opportunity to hack devices and cause adverse patient outcomes. This hasn’t happened yet, but breaches have. In 2023, three medical device makers — BD, Insulet, and Zoll Medical — had to alert customers regarding vulnerabilities.
BD makes infusion pumps. They determined that their devices could expose personal data in the system. They issued a bulletin and notified the FDA and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The risk relates specifically to the software installed on hospital computers.
Insulet, another insulin pump manufacturer, notified impacted users of a breach and filed a report with the U.S. Department of Health and Human Services (HHS). The breach affected 29,000 users.
Zoll Medical sent a data breach communication to over 1 million users of their wearable defibrillator. The information stolen in the incident included Social Security numbers. The company filed a report with the Maine attorney general, noting that the breach affected 1,004,443 individuals.
Breaches in healthcare are nothing new. It’s one of the most targeted industries for cyberattacks. However, medical device security is a unique aspect. Preventing breaches or hacks now has come under the purview of the FDA, and the agency wants to hold manufacturers accountable for security.
The FDA has updated Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act). It mandates that all regulatory submissions for medical devices include information related to four core cybersecurity requirements. The law is now in effect, but the FDA has stated it won’t begin enforcement until October 1.
New Rules for Device Makers
Digging deeper into the new law and its impact, here are some key things to know:
- Manufacturers must submit plans outlining how they will track and address cybersecurity issues that may arise after the device is on the market.
- Companies must implement internal procedures to ensure devices are as cyber-secure as possible and roll out patches and updates once they uncover vulnerabilities.
- Device makers must submit a “software bill of materials” within their FDA paperwork, which must include every software component within a device.
- The fourth requirement is future-looking. It asks manufacturers to comply with rules yet to be created. Those potential regulations would involve demonstrating “reasonable assurance that devices and related systems are cyber secure.”
Beyond the requirements for manufacturers, the new law also requires that the FDA and CISA work together to update the current guidance on medical device cybersecurity within two years, and then update it periodically as needed.
The bill also charges the FDA to refresh its online resources within six months of the bill’s enactment and at least every year following. This information should stay up-to-date and relevant for healthcare organizations and manufacturers.
So, the onus is on the manufacturers to be cyber-focused in developing medical devices. This new stance could ensure device makers use best practices of being secure by design, a hallmark of DevSecOps. That’s good news for all stakeholders, but cybersecurity doesn’t stop at the development level. It’s also essential after the deployment of devices.
So, how can healthcare systems play their part in the future of medical device security?
How Big Is the Risk in the Future?
As connectivity continues to be a pursuit for healthcare, cyber risk elevates. We can look at what’s happening now to forecast the future.
A report on the Insecurity of Connected Devices in Healthcare found that 56% of organizations experienced one or more cyberattacks related to IoMT (Internet of Medical Things) or IoT (Internet of Things) devices in the past two years. Additionally, 89% of survey respondents said they dealt with almost one attack a week, impacting patient care.
Hospital networks have thousands of connected medical devices, all critical to care but ripe for exploitation. The FBI also took notice, issuing a notification in September of 2022. It stated that 53% of hospital-connected medical devices had known critical vulnerabilities. This government review of threats included recommendations for healthcare to:
- Use endpoint detection and response (EDR).
- Encrypt medical device data.
- Ensure admins change default passwords to secure ones.
- Maintain an inventory of devices and associated hardware and use this information to identify gaps.
- Work with manufacturers to mitigate vulnerabilities.
- Implement routine vulnerability scans.
- Expand training for employees.
With this on the FBI’s radar, it was likely a catalyst for the new FDA changes. Following these best practices can still be a challenge for health systems. One of the key reasons is the lack of resources. IT professionals already must wear many hats. The market has a significant shortage of these people, so most are also understaffed. In this environment, most people can only prioritize today’s fires and aren’t looking toward the future.
Healthcare organizations will need partners to support their efforts to move forward and become cyber-resilient.
Preparing for Medical Device Security’s Future: What Health Organizations Should Do
The medical device ecosystem is complex. There are many players and lots of different types of devices. There’s also no standardization around security specifications. The new FDA law offers some clarity here, but many variances remain. So, how do you prepare for tomorrow?
- Risk assessment should be part of your security culture. Performing these multiple times a year or when important things occur, like implementing new devices, is vital to strengthening your security posture. Get help with these from outside experts when your staff doesn’t have the capacity.
- AI is now in the mix, creating more concern. AI is good for the medical device industry regarding insights, data, and usability. It puts a wrinkle in the cybersecurity environment. There are positives and negatives, and you’ll want to devise a strategy to identify and address new AI risks.
- Supply chain attacks are another red flag. Supply chain security is another threat that will only increase as more software integrates into devices. As a result, healthcare organizations need robust rules around this and ensure that outdated software isn’t lingering. Managing this requires reviewing your inventory lists and documenting when they should receive an update.
- Endpoint monitoring needs to become more advanced. Endpoints are only growing, and they are beyond hospital walls as patients use medical devices at home. Building your fortress just got more complicated, so you’ll need a plan to tackle this and account for future growth.
- Update your incident response and disaster recovery to include medical devices. If you haven’t added medical devices to these protocols, you need to urgently. Every time you update these, you must ensure it aligns with all current medical devices.
- Create educational programs for staff and patients. If people aren’t aware of the cyber risks of medical devices, they may make poor choices. After all, human error is the leading cause of breaches and attacks. It should be mandatory for all staff and patients using devices outside the facility. Continuing to communicate cyber best practices should also be part of your plan.
- Understanding the gaps in your program must be a priority. Testing your system is the best way to see how robust it is. Penetration tests simulate how a hacker would attempt to infiltrate medical devices and your network. You should conduct these regularly to have a 360-degree view of how vulnerable you are.
- Remediation follow-through is critical after pen tests. Some organizations have a pen test and its results and then sit on them. Often, they don’t have the resources to do much more than the most crucial things. However, small things add up and can become much bigger and messier. Work with your pen test partner on what comes next so you’re continuously improving security.
Want to Build a More Secure Medical Device Future?
The best way to counter risk is with proactive and forward-looking strategies. You can manage risk much easier when you have an experienced partner who can shoulder the burden. Our team has years of expertise in healthcare and medical device cybersecurity. Contact us today to schedule a discovery session.