Medical devices have become a key component of healthcare. They often help patients manage chronic diseases and enable physicians to expand care outside the clinic setting. For all the good they bring, there’s also risk. Cybersecurity in the medical device industry has become a priority and concern. The FDA (Food & Drug Administration) mandates compliance with security protocols throughout the life cycle, from initial approval to using the device on the market.
Medical device manufacturers must deliver products that meet healthcare needs and secure them. Medical device cybersecurity is a complex topic, and this post will provide you with insights and best practices.
What Is Cybersecurity in the Medical Device Industry?
Cybersecurity in the medical device industry describes the environment of threats and risks related to their use. Most of these are connected, which means they are part of a network. The connectivity is necessary for several reasons, including:
- RPM (remote patient monitoring) devices are online to sync readings patients take at home and deliver them back to a provider’s software.
- Implanted devices like pacemakers and drug infusion pumps use wireless connectivity to support regular heart activity and deliver the right amount of medication.
- Diagnostic devices typically live on a hospital network and share images and data about patients.
In addition, medical devices have software within the hardware, which can be an avenue that cybercriminals take to breach them. As software needs constant updates and fixes, any gaps here create vulnerabilities.
So, why are hackers interested in medical devices?
The Appeal of Medical Device Hacking
Healthcare has always had a big target on its back. Cybercriminals launch more attacks on this industry than any other. Medical device hacking has expanded the threat landscape. They are appealing because they can:
- Steal ePHI (electronic personal healthcare information), which can be lucrative to criminals.
- Launch ransomware attacks to cause chaos in hospitals and their ability to deliver care.
- Impact patient safety as a means to inflict harm and wreak havoc.
Unfortunately, the healthcare cybersecurity ecosystem is often unprepared for these attacks. It all starts with manufacturers, which now have FDA requirements to meet.
The State of Risk in the Medical Device Industry
A recent report on healthcare and medical device cybersecurity offered a glimpse at the real-world risk. In the study, 53% of respondents cited insecure medical devices as a leading threat. The same study found that only 47% had a prevention and response strategy for medical device hacking threats.
The growing risk has even attracted the attention of the FBI. They published a report with the AHA (American Hospital Association) declaring an increase in vulnerabilities. The culprits were unpatched devices and outdated software. Additionally, they noted that IAM (identity and access management) was a risk and found that 53% of digital medical devices and internet-connected elements had critical vulnerabilities.
What makes medical device cyberattacks more concerning than those other businesses would face is the threat to patient safety. There is the potential for harm to those who use the devices. Since the landscape is broad, the industry has many issues to consider.
What Are the Top Cybersecurity Issues in Medical Devices?
Medical devices are sophisticated technology. They include hardware and software and connect to networks. They are just like any IoT (Internet of Things) machine. As a result, they have similar risks to any technology. The most concerning medical device cybersecurity issues include:
- Lack of encryption of data while in transmission or at rest
- Inadequate user authentication protocols
- Outdated software in need of updates and patches
- Unsecured wireless networks
- Remote access vulnerabilities
- Integration challenges
- Misconfigurations with the software or cloud it connects to
These are only a few of the concerns. However, changes to legislation and hypervigilance are attempting to alter this risk trajectory. The FDA implemented new rules for medical device manufacturers seeking to close gaps.
FDA Rules for the Medical Device Cybersecurity Industry
In response to the rising threats, the FDA issued new cybersecurity rules for manufacturers in 2023. As a result, the process of gaining and keeping FDA approval became more complex.
The new rules come from an update to Section 524B of the Food, Drug, and Cosmetic Act (FD&C Act). The new requirements include:
- Manufacturers must submit plans for tracking and addressing cybersecurity issues after the device goes to market.
- Organizations must implement internal protocols relating to medical device security to identify vulnerabilities and verify patches and updates are launched.
- Manufacturers must include an SBOM (software bill of materials) in their initial FDA filings that lists all software components.
- The industry must agree to comply with yet-to-be-created guidelines regarding being cyber-secure.
These new requirements apply to an FDA-defined “cyber device.” They define them as those with software, internet connectivity, and probability of containing vulnerabilities that could be a cyber threat.
To understand their impact on cybersecurity in the medical device industry, let’s dive deeper into these mandates.
SOUPs, SBOMs, and Facades: Their Role in Compliance and Security
In addition to FDA rules, medical device manufacturers must follow other regulations, such as the IEC 62304:2006 medical device software standard. Three components support compliance and improve security: SOUPs (software of unknown pedigree), SBOMs, and facades, which are software design patterns employed in object-oriented programming.
What Is a SOUP?
A SOUP includes any external code the dev teams employ during design where the security is unknown. Developers in any industry depend greatly on open-source libraries as they make processes more efficient and faster. As part of compliance with IEC 62304:2006, a SOUP is mandatory. Manufacturers must also monitor for updates and fixes related to any weaknesses in open-source code. A SOUP is the first step before you create your SBOM.
What Is an SBOM?
An SBOM entails the formal, standardized list of all software you use in the device, its dependencies, and metadata. It’s like an inventory of parts; it is necessary to comply with the FDA and create an environment of transparency and risk prevention. An SBOM has four parts:
- Software that’s open-source and third-party
- Firmware and binaries
- Cloud resources
- APIs (application programming interfaces) a device integrates with or sends data to
SBOMs are not exactly new as an FDA medical device cybersecurity requirement. They were previously necessary in the FDA application. The updated rules, however, marked a turn in these submissions with more rigid requirements and completeness.
In addition to the list, you must also create and provide information on testing of devices to assess:
- Risk related to confidentiality, availability, and integrity
- The condition of system entry points
- Current controls in use
- Data flow models
There are even more requirements by the FDA relating to SBOMs. You must develop:
- Threat trees
- Traceability matrices
- Standard operating procedures
- Software architecture cybersecurity
What Are Facades?
Facades are software design patterns acting as objects in front-facing interfaces. They involve more complex underlying and structural code. Facades can support compliance in several ways. First, they improve the usability and readability of software by concealing interactions and elements into one API. Second, they provide a context-specific interface to improve functionality.
Since medical devices use software, facades are typical. Using them isolates other code from a library related to actions like authentication, reading, writing, and deleting.
The FDA is serious and focused on cybersecurity, as are manufacturers. The process has become more cumbersome. Looking for outside support can ease the strain. A medical device cybersecurity firm can be a key partner to help you navigate these new hurdles.
How Experts Can Support Cybersecurity in the Medical Device Industry
You can gain many benefits and accelerate approvals while being compliant and security-first with an experienced partner. Here’s how they can help:
Premarket Notification 510(k) Submissions
A 510(k) must identify that the medical device is safe and effective, meaning it is a substantial equivalent (SE) to a legally marketed device.
The submission must compare the device seeking approval and one already on the market. For a device to be an SE, it must have either of these characteristics:
- It has the same intended use and technological attributes as a predicator.
- It has the same intended use with a different technical makeup but doesn’t raise new concerns related to safety and effectiveness.
With the FDA’s push on cybersecurity, the 501(k) submission is more detailed and thorough, which can cause the FDA to kick back a 510(k). You can avoid this by working with a firm with extensive experience with these requirements.
Medical Device Pen Testing
Medical device pen testing supports FDA and other regulatory requirements. Pen tests, which are simulated cyberattacks, satisfy multiple mandates, including the 510(k), FD&C Act, U.S. NIST SP 800-115, UL 2900 standards, and more. Regular pen tests cultivate a culture of proactive cybersecurity. Knowing about flaws before hackers do enables you to remediate them. It should be ongoing so you can adhere to the FD&C Act guidelines for devices once they are on the market.
Cybersecurity in the medical device industry is always evolving, and you need a partner to ensure compliance and the security of devices to prevent breaches or patient harm. You’ll find that with our team. We specialize in medical device cybersecurity.
Learn more about how we can assist you by requesting a discovery meeting.
