The medical device cybersecurity landscape has many challenges that create more risk and concern. Food and Drug Administration (FDA) regulators have been working to close it, updating guidelines again in June. “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” establishes more rules but doesn’t address what many experts say are the biggest gaps: dispersed responsibility and scarcity of asset inventory.
These issues specifically apply to devices that are resold or refurbished on the secondary market. In this environment, it’s still very much the Wild West. So, what could the industry do to manage these things more effectively so that risk dissipates instead of rising?
Medical Devices Don’t Have a Process for Identifying and Reporting Flaws on Legacy Systems
Currently, an established process for identifying and reporting issues with legacy devices doesn’t exist. The reason why has much do with the fact that the device’s whereabouts are unknown.
If something occurs with a device that’s in use, which was approved years before the sweeping changes from the FDA to include a software bill of materials (SBOM) or a patching workflow, there’s nothing to do. The information about the vulnerability or problem doesn’t make it to the manufacturer, regulators, or other stakeholders.
It is also a misconception that if a manufacturer finds a vulnerability in a device, they immediately notify all users of it. This would be impossible for the second-hand market because there’s no asset inventory list.
Is Creating Asset Inventory Listings Even Possible?
The solution would be to build one, but that would require a lot of groups to work together, which are currently fragmented. A sector-mapping system could deliver vulnerability information to those who actually use the devices.
Such a system would be a task force of sorts, involving:
- Identification of vulnerability or hacks
- Determining owners and operators
- Immediate remediation
The lack of an asset inventory initiative isn’t uncommon in critical infrastructure. A regulatory rule is in place for the Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to internet service providers (ISPs) to identify owners of vulnerable IT assets. However, it’s been used very sparingly.
Without defined guidance or parameters, the asset inventory issue looms for those devices in the secondary market. The equipment still has useful life left, so complete decommissioning isn’t prudent. It would also likely inflate costs, which would deter investment in medical devices from healthcare systems.
It also feeds into the other issue of dispersed responsibility.
Dispersed Responsibility in Medical Device Cybersecurity
Dispersed responsibility characterizes the challenge of security not being owned by a single entity. It’s a shared burden across all parties—manufacturers, healthcare providers, regulatory agencies, and patients.
While postmarket medical device cybersecurity is a shared responsibility, this model creates considerable gaps, including:
- Security posture weaknesses, leaving systems more susceptible to cyberattacks
- Inconsistency in managing vulnerabilities because there’s no centralized process
- Lack of transparency
- Insufficient communication across stakeholders
- Patient safety risk
There’s no one answer to dispersed responsibility, and it’s not really changeable because everyone has to cooperate and collaborate. The FDA guidance does firm up these relationships going forward, but it doesn’t look back.
If the industry is actually going to improve the issues with legacy systems, it must develop best practices for their management as a whole and ensure everyone is accountable for their part. This may need to happen outside of the regulatory framework, as the FDA is increasingly overburdened and short-staffed.
Traceability of the devices is integral to managing emerging threats and risks. It behooves all stakeholders to work together on this to strengthen patient safety and ensure the continued use of a device in its second life.
Do you have questions about medical device cybersecurity gaps? We can help. Contact us today to get started.