Analysis
Attacks and Vulnerabilities
Features
Medical
NIST
Regulation, Standards and Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vendors
Vulnerabilities

FDA requirements for medical devices prioritize cybersecurity to avoid regulatory, legal consequences

May 28, 2023
FDA requirements for medical devices prioritize cybersecurity to avoid regulatory, legal consequences

Understanding the components of the Food and Drug Administration (FDA) guidance and their legal ramifications is crucial as the agency sets out to implement its new medical device cybersecurity protocols and prepares for strict enforcement in October 2023. Healthcare stakeholders must bring into their infrastructure cybersecurity provisions that cover software bill of materials (SBOM) and vulnerability disclosure reporting. These rules establish new cybersecurity requirements for cyber devices, which must contain specific cybersecurity-related information, such as a description of a plan for quickly identifying and fixing vulnerabilities and exploits. 

The FDA stated that it generally does not intend to issue ‘refuse to accept’ (RTA) decisions for premarket submissions submitted for cyber devices based solely on the information required by the new amendments to the Federal Food, Drug, and Cosmetic Act (FD&C Act) for ensuring the cybersecurity of devices before Oct. 1, 2023. As part of the interactive and/or deficiency review processes, the agency instead decides to collaborate with the sponsors of such premarket submissions.

“As the medical device industry continues to evolve, cybersecurity risks will only become more complex and challenging,”  Lee H. Rosebush, Lynn Sessions, Laura E. Macherelli, and Eric D. Morris, wrote in a Baker & Hostetler post in April. “The FDA’s actions are critical steps toward ensuring that medical devices remain secure and safe for patients. Manufacturers must take necessary steps to comply with the guidance and prioritize cybersecurity in their product development process to avoid regulatory and legal consequences.”

Not-for-profit organization MITRE identifies that implementing cyber hygiene practices is a shared responsibility across the federal government and private sector. The technologies that are bringing innovations to healthcare are rapidly evolving and attackers are becoming more sophisticated. The process of creating cyber hygiene practices needs to be streamlined and agile to adapt to different clinical environments and varying levels of expertise, resources, and computational capabilities. These practices must also be designed to not inadvertently interfere with patient safety.

Last month, the U.S. Department of Health and Human Services (HHS) 405(d) Program conducted a Hospital Resiliency Landscape Analysis that reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals. The analysis also revealed the use of antiquated hardware, systems, and software by hospitals is concerning. It also identified that “96% of small, medium, and large-sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices. A common technique by threat actors is to exploit known vulnerabilities.”

Industrial Cyber reached out to cybersecurity experts in the medical sector to gauge the maturity level of hospital networks. They also investigated the steps that need to be taken to align with the guidance.

Jessica Wilkerson, senior cyber policy advisor within the FDA
Jessica Wilkerson, senior cyber policy advisor within the FDA

“The new authorities represent a significant step forward in the FDA’s role in regulating cybersecurity as part of a medical device’s safety and effectiveness and further safeguarding patient safety and our national security,” Jessica Wilkerson, a senior cyber policy advisor with the All Hazards Readiness, Response, and Cybersecurity (ARC) team in the Center for Devices and Radiological Health (CDRH) within the FDA, told Industrial Cyber. “The new authorities apply to medical device manufacturers submitting a premarket application to the FDA for a cyber device. The new authorities require medical device manufacturers to submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits.” 

Wilkerson added that under the new authorities, manufacturers must also design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure and make available postmarket updates and patches to the device and related systems   

“Cybersecurity incidents can render medical devices and hospital networks inoperable with the potential to disrupt the delivery of patient care across health care facilities in the U.S. and globally,” Wilkerson pointed out. “As we experience an increase in cyber threats across health systems, these new authorities will allow CDRH to work with manufacturers and other device stakeholders to ensure that cyber devices are designed securely and reduce the likelihood of harm to patients.”  

Wilkerson also highlighted that the FDA has also developed and released several resources available to hospitals and other healthcare delivery organizations to help them be better prepared for a cybersecurity incident involving their medical devices.

Joshua Corman, vice president of cyber safety strategy at Claroty
Joshua Corman, vice president of cyber safety strategy at Claroty

Joshua Corman, vice president of cyber safety strategy at Claroty, said that the FDA policy—a provision of the omnibus bill—among its requirements, asks for the medical device manufacturers to provide to the FDA an SBOM that specifies all commercial, open source, and off-the-shelf software components used in a device. “This SBOM requirement further assists in post-market surveillance for vendors to determine if new vulnerabilities and exploits affect the third-party components they leverage in software construction. Medical device manufacturers can no longer turn a blind eye to the risks posed to patients by security risks in the software they use,” he added.

“In terms of hospital readiness, Protecting and Transforming Cyber Health Care (PATCH) Act—another provision of the omnibus bill which establishes minimum cyber hygiene requirements for medical devices—will make medical devices inherently safer going forward,” Corman told Industrial Cyber. “The mandates for medical devices, which will be more secure, more maintainable, more defensible, hospitals without doing anything will have better security by virtue of these changes.”

He added that hospitals—large, medium, and small—can all benefit indirectly as these safer, more rigorous engineered devices matriculate through these regulatory requirements. “Looking forward, we can also expect to see more in terms of an executive branch mandatory regulatory requirements for hospitals and specific legislation around hospital security hygiene coming soon.”

Mohammad Waqas, principal solutions architect for healthcare at Armis
Mohammad Waqas, principal solutions architect for healthcare at Armis

“Medical device and IoMT security is a top concern for hospitals. These devices may be physically connected to people and can be critical to their health, and as such, carry sensitive personal information,” Mohammad Waqas, principal solutions architect for healthcare at Armis, told Industrial Cyber. “However, they often use out-of-date software, with one in five medical devices running unsupported operating systems. Compounding the issue is that hospitals often don’t know how many, or even which medical devices they have in their environment supporting patient care.”

Waqas highlighted that hospital networks are generally flat networks. “That is, any device can communicate with any other device on the network, which goes against cybersecurity best practices and multiplies the risk of a network. With legacy medical devices unable to install agents or traditional security solutions, network segmentation should be a prime focus for healthcare organizations to reduce medical device attack surfaces.” 

He added that other networks, such as energy and utility networks, generally have some type of segmentation with their most critical devices. Healthcare organizations historically have not taken this approach, so they are comparatively less mature in terms of network security.

“To comply with this guidance from the FDA, hospital networks will need to first focus on the basics. This means gaining visibility and a comprehensive, real-time understanding of what assets are in the network– you can’t protect what you can’t see,” according to Waqas. “This is why visibility and inventory of assets is a foundational requirement for any cybersecurity program. From there, as they map their network of devices and those devices’ communication patterns, they’ll then be able to triage the riskiest or most vulnerable assets to more effectively mitigate risk and secure these connected assets.”

David Leichner, CMO at Cybellum
David Leichner, CMO at Cybellum

“Recognizing the lack of preparedness by the industry (some companies are more mature than others in this regard), the FDA released the document you are referring to at the 11th hour– saving manufacturers from immediately falling out of compliance with the RTA only taking effect in October,” David Leichner, CMO at Cybellum, told Industrial Cyber. “Products submitted without demonstrating cyber resilience will not be immediately rejected but will be given an opportunity to strengthen their cybersecurity posture before being refused, in cooperation with FDA officials.”

Leichner added that SBOMs is critical according to the FDA for two reasons – transparency, as the bill of materials gives a full list of all software components and their versions– something that facilities currently lack, and resiliency, as once the contents of medical devices are identified, this list acts as a critical reference point to identify new vulnerabilities, address existing ones, speed up response times, and allow manufacturers to future-proof their devices.

“For HDOs, an immediate action that they can take to accelerate their ‘cyber maturity’ is to require dynamic, living, up-to-date SBOMs from every manufacturer for each device,” according to Leichner. “They should manage these assets so that if a vulnerability emerges, they will know exactly where the devices are that will require remediation by the MDMs.”

Gaps in healthcare sector needs attention

The experts also explore the severity of the gaps in both medical device security processes and medical regulation compliance. They also evaluate the likely milestones that the healthcare sector will adopt as it works on strengthening its cybersecurity posture.

“The FDA views cybersecurity as patient safety. Without adequate cybersecurity considerations across all aspects of medical device systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device,” Wilkerson said. “Recognizing the importance of this issue, the agency works collaboratively with internal and external stakeholders, such as members of industry, the patient and security research communities, and others to develop important guidance documents for medical device manufacturers to ensure medical devices are cyber secure before coming to market and remain secure throughout their total lifecycle.”

Wilkerson added that the FDA recognizes that legacy medical devices may pose significant risks as these devices may be vulnerable to cyber exploits and/or incidents. “The cyber risks of legacy devices presently in distribution today (and that often have a long clinical use life), remain a significant concern for CDRH’s Medical Device Cybersecurity efforts. While new cybersecurity authorities granted by Congress to FDA in the most recent Omnibus are a significant step forward, they are limited to future technologies.” 

“The agency remains committed to working with internal and external members of the healthcare ecosystem, including the Healthcare Sector Coordinating Council (HSCC), which recently released its Health Industry Cybersecurity – Managing Legacy Technology Security framework containing considerations, resources and to help mitigate this issue,” according to Wilkerson.  

Additionally, the FDA recognizes that healthcare delivery organizations are responsible for implementing devices on their network and they may need to patch or change devices and/or supporting infrastructure to reduce security risks, Wilkerson added. “Recognizing that changes require risk assessment, the FDA recommends these organizations, including hospitals, work closely with medical device manufacturers to communicate changes that are necessary. Hospitals should also ensure they follow the labeling recommendations for the medical devices used in their facilities.”  

“Medical device manufacturers vary in preparedness and maturity of secure software development lifecycle practices. The under-invested in industry will need to introduce more modern, more rigorous safe software development processes for medical device development,” Corman said. “There’s also an opportunity for hospitals to leverage requirements for newfound patchability and software supply chain transparency to implement better policies and programs around people, process, and technology that avails them to new capabilities in inventory and risk management and better visibility.”

Waqas points out that having a bulletproof defense against cyber attacks is nearly impossible. “So, leaders must understand the threat landscape and adapt to it by having multi-layered defense strategies that strengthen their cybersecurity posture. This includes understanding your environment, identifying risks and managing vulnerabilities across your assets that can cause costly disruptions, and applying appropriate security controls — while complying with HIPAA and state and federal patient privacy laws.” 

“Given rapid digital transformation and the explosion of connected medical devices, the current gaps that exist only continue to widen as new technology is introduced and connected to networks of healthcare delivery organizations,” Waqas added. “And, it’s not only the medical devices themselves that healthcare providers need to consider – it’s also the technologies that help the hospitals to run efficiently that also have critical severity unpatched Common Vulnerabilities and Exposures (CVEs). In addition to nurse call systems and medication dispensing systems, building management technologies, such as HVAC, badge readers, and cameras, need to be monitored alongside IoMT devices for unpatched CVEs.”

While new regulations are taking critical steps to secure the newer medical devices that enter the market, it’s important to note that legacy devices (or those already in circulation as part of a hospital’s medical device fleet) still need to be accounted for, Waqas underlines. “These are the devices that still contribute to the attack surface and overall risk of a healthcare organization but were not built with the new regulation requirements such as addressing vulnerabilities. Further compounding this is that medical devices can be extremely expensive to replace. So while they may be operationally functional, they pose a serious cyber risk. Implementing compensating controls – usually in the form of network segmentation – is an important next step.”

“As the healthcare system moves forward, we’ll likely see more gated measures, such as the latest regulatory guidance – which requires built-in cybersecurity and increased visibility for organizations,” Waqas said. “Even providing the SBOMs greatly helps cybersecurity teams have greater visibility. This also sets up vendors for developing additional security measures into their products, as well as documenting these amongst other key visibility areas – such as expected device behaviors and network communication patterns that will help healthcare organizations build out necessary compensating controls.”

He added that “we are also seeing additional regulatory reporting requirements, particularly in the UK, around medical device risk reporting and response requirements for high severity alerts and vulnerabilities. This is definitely momentum the rest of the world seems to be picking up, as many are having conversations at government levels.”

Leichner pointed out that cybersecurity for MDMs is not a new concept, but rather something that has been gradually increasing. “Leading up to the FDA’s RTA announcement there were – updated FDA guidelines, Executive Order 14028, Omnibus Bill, and the White House 2023 Cybersecurity Strategy.”

“All of these put an emphasis on better cyber resiliency in the mission-critical products we rely on, such as medical and the utility companies that support them,” Leichner highlighted. “The FDA has been pushing for greater product security for some time but has held back on dictating ‘how’ until recently through SBOMs and ongoing vulnerability monitoring and management. 

He added that the likely milestones “that we expect are outlined in the Omnibus bill on page 3538, section 524B- ‘Ensuring Cybersecurity of Devices’.” 

To paraphrase, Leichner said that they are having a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities in a timely manner. This is best achieved by having a list of all components that exist within each specific device on which to conduct vulnerability discoveries. Additionally, design, develop, and maintain a schedule that ensures the device can identify ‘unacceptable vulnerabilities’ to minimize risk and identify critical vulnerabilities that could cause uncontrolled risk. They must also provide an SBOM with OSS, commercial, and off-the-shelf components; and the device has to maintain connectivity and the ability to update throughout its life to comply with future product security requirements.

Impact of guidelines on healthcare cybersecurity posture

With the FDA adopting a more proactive and aggressive approach, the experts shed light on the impact of cybersecurity incidents on the healthcare sector so far, and the likely impact that these guidelines will have on the sector’s cybersecurity posture in the long term. They also assess how prepared the healthcare sector is to improve on key areas, such as SBOM analysis, risk assessment, and compliance readiness.

“The FDA has long recognized that cybersecurity is a factor in patient safety. The FD&C Act mandated that the FDA review devices for the reasonable assurance of safety and effectiveness, which the FDA has long considered to include medical device cybersecurity,” Wilkerson said. “The FDA’s new authority to review devices for reasonable assurance of cybersecurity will strengthen this process.” 

Through the Health Sector Coordinating Council, public-private partnership efforts around SBOM, and other collaborative efforts, the sector has made great strides in maturing health sector cybersecurity, Wilkerson identified. “HSCC publications addressing medical device cybersecurity best practices and recommendations, legacy technologies, and vulnerability communications, among others, have created a rich library of resources for healthcare stakeholders to draw on.” 

She added that “work done by industry and government representatives to create SBOM-related processes through the NTIA’s and now CISA’s multi-stakeholder software transparency efforts are helping to mature the sector’s SBOM capabilities.”

Corman said that to think about healthcare sector preparedness “we need to examine it as the haves and the have nots—larger organizations or hospital networks that have abundant resources and the small/medium/rural hospitals who tend to be target rich and cyber poor. The latter group is those the legislation aims to raise up and give access to budget and skills to avail themselves of modern risk management.” 

He added that so there’s a group that’s already prepared and one that is not and that’s why there’s currently bipartisan political will to give stimulus to those who need it.

“Healthcare continues to be a prime target for cybercriminals. The expanding attack surface of IoT, IoMT, and connected medical devices has exponentially increased vulnerabilities in the last few years,” Waqas said. “So it remains to be seen whether these FDA guidelines will significantly improve medical device cybersecurity, but this guidance is an important first step in building awareness about the issues facing these critical care centers which need to be proactively addressed. It may take years for the industry to see gains, as healthcare organizations are often employing years-old devices while trying to integrate new connected technologies to their networks.”

Waqas added that more and more healthcare organizations are positioning their processes to take into consideration the new regulations. “For example, some are requiring MDS2 and SBOMs to be provided as part of the procurement process in order to conduct the risk assessment up-front. We have yet to see how effective the cybersecurity vulnerability response plans are; however, it is a positive sign the healthcare sector is taking advantage of the regulations.”

“When you take into account healthcare organizations of varying size, there are different amounts of resources available,” according to Waqas. “Continuous risk assessment, particularly on unmanaged medical devices, is an area where managed service providers have started offering services to analyze and remediate devices. This is an area smaller organizations can explore outsourcing if they feel they don’t have enough personnel to task.”

Many of the device companies are managing are somewhere in the middle of their lifecycle, meaning they were initially developed in an era of weaker cyber resilience, according to Leichner. “Deployed and active in the field for years, manufacturers still need more time to conduct proper SBOM generating, management, and vulnerability discovery.”

Leichner added that the medical device industry is motivated to comply with the new FDA regulations. “We see demand from the market for better security, enforcement from the FDA for better transparency, and manufacturers who are fully aware that they are always a single incident away from reputational damage. But there is no question that the new policies and guidelines are driving the market to better cybersecurity and the industry is in ramp-up mode.”

Adoption of coordinated approach

Given the diverse, expansive, and critical nature of the healthcare sector, experts weigh in on whether there should be a more coordinated approach that overlaps federal guidelines. They also look into ways to reduce the costs of securing healthcare devices, systems, and facilities by including physical and cybersecurity components when designing, developing, and maintaining processes and procedures.

“FDA’s and the sector’s experience has shown that building cybersecurity into devices throughout the entire product lifecycle can reduce costs and significantly increase the efficacy of cybersecurity controls and capabilities,” Wilkerson said. “At the same time, threats and vulnerabilities cannot be fully eliminated, and reducing cybersecurity risks can be especially challenging.” 

She added that the healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks. “The agency frequently collaborates with internal and external stakeholders such as other United States federal agencies, the International Medical Device Regulators Forum, the HSCC, MITRE, and others, to promote harmonized approaches to medical device cybersecurity at a fundamental level, including resources for threat modeling and supporting cybersecure technology solutions in the healthcare environment.” 

Corman indicated that a more coordinated approach started when the White House charged CISA last year with creating cross-sector cybersecurity performance goals (CPGs) to be sector-agnostic to give some common advice and control types, irrespective of which aspect of a multi-pronged sector is considered. “The aim being to harmonize baseline cyber hygiene. Key to success is collaborative, productive public-private partnerships, between the White House philosophy and sector philosophy that brings about processes and regulations that meaningfully reduce risk to the nation’s hospitals. There is more harmonization still required.”

“We’re seeing a number of healthcare organizations collaborating together to take a holistic and unified approach to cybersecurity. One such example to reduce costs of securing healthcare devices and environments is through regional purchasing for a single solution across multiple hospitals to achieve economies of scale,” Waqas said. “Government initiatives also contribute to this, such as establishing regional SOCs for multiple hospitals for greater cybersecurity and achieving cost savings at the same time.”

Another way organizations can reduce costs and streamline processes is through collaboration between clinical engineering teams and cybersecurity teams to secure medical devices, Waqas pointed out. “Clinical engineers can have access to security documentation and inventory information which cybersecurity teams aren’t privy to. However, the documentation can outline zero-cost security controls that can be implemented immediately, thereby helping reduce the overall risk of the device as well as the network.” 

He added that to ensure alignment to this, “there should be well-defined processes around procurement, deployment and configuration, maintenance, and secure disposal of medical devices created in conjunction with the clinical engineering and information security teams. Once processes are established, looking for ways to streamline and automate are going to be necessary for cost savings – both in dollars and personnel hours spent – as smart devices continue to grow and healthcare manufacturers continue to innovate.”

“It all starts at design and development. We often use the analogy that an SBOM is like a list of software ingredients,” Leichner said. “As we’ve seen with legacy devices, it’s much easier to begin keeping track of software and hardware components than it is to figure out the ingredients once the software ‘cake’ is fully baked.”

To reduce the cost of securing and the likelihood of a cyber-attack on medical devices, Leichner emphasized that organizations should start early in the development process, integrating relevant engineers and security experts into the product lifecycle process. They must also remain vigilant with supply chain vendors, and keep SBOMs updated, he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation