fda medical device security blog

FDA Takes a Big Step Forward for Medical Device Security

Last-minute omnibus spending bills are Capitol Hill’s candy jars. These bills, which roll up 12 months of overdue lawmaking at the year’s end, are often stuffed with ‘pork’ – political sweeteners worked in at the last minute to curry favour with politicians’ local constituents. However, they can sometimes usher through long-overdue measures that might otherwise languish on the Hill.

Last December, the $1.7tn Consolidated Appropriations Act (CAA) included a critical component: legislation that would finally force medical device manufacturers to stay on top of cybersecurity after their devices leave the shelves.

Section 3305 of the CAA amended the Federal Food, Drug, & Cosmetic Act by adding section 542B, ‘Ensuring Cybersecurity of Medical Devices’. This new regulation applies to any FDA-covered device that connects to the internet and could be vulnerable to cybersecurity issues.

A Continual Approach to Cybersecurity 

Some of the language in the new law comes from a mandatory set of rules that had been working its way through Congress. The Protecting and Transforming Cyber Health Care (PATCH) Act, issued in March 2022, attempted to legislate cybersecurity controls for medical devices.

Echoing the PATCH Act, the new law forces medical device manufacturers to give the Agency a plan for monitoring, identifying, and addressing cybersecurity vulnerabilities after launching the devices.

Device manufacturers must also adopt a coordinated vulnerability disclosure program. This means they can no longer sweep bugs under the rug by ignoring them or the researchers raising them.

Vendors must also offer a software bill of materials (SBOM) that lists which software components the device uses, in a big nod from the FDA to supply chain security.

The FDA Secretary must update the Agency’s guidance on premarket cybersecurity submissions for medical devices using feedback from stakeholders, including manufacturers and healthcare providers. The FDA must also publish information and resources about improving the cybersecurity of medical devices each year.

The U.S. Government Accountability Office (GAO) will also publish an annual report detailing any barriers stakeholders have experienced in securing federal government support to improve device cybersecurity.

The CAA’s language isn’t the first requiring some cybersecurity effort from device vendors. The FDA already has a Quality System Regulation (QSR) that mandates a risk-based approach to cybersecurity from device manufacturers, meaning they must identify the likelihood and impact of cyber risks.

The QSR only goes so far, though. By specifically outlining the ongoing cybersecurity remediation program post-release, the new law forces a more continual approach to cybersecurity rather than a ‘fire and forget’ approach that only attests to device security at a single point in time.

Years of Fighting for Cybersecurity 

The law, which came into effect on March 29 2023, is the culmination of a long initiative on device cybersecurity from the FDA. This dates back to 2005 when the Agency released guidance on handling networked devices containing commercial off-the-shelf software. In 2014, it issued its first specific guidance on planning and documenting cybersecurity measures for devices after sale. It updated this in 2018.

Then, in April 2022, it published another set of draft cybersecurity guidelines on premarket approval submissions that replaced the 2018 document. This document also called for a software bill of materials to track third-party components. It recommended a Secure Product Development Framework to reduce security vulnerabilities and built-in update capabilities for devices.

While the agency’s efforts have been laudable, its FDA guidelines on device security thus far have been voluntary, which generally means that industry compliance will be spotty.

Experts who have worked for the FDA have suggested cybersecurity has been an uphill struggle for the Agency. It didn’t even have a single person dedicated to heading up the cybersecurity function until early 2021 when it created a new role at its Center for Devices and Radiological Health. Cybersecurity professor Kevin Fu filled the role of acting director of medical device cybersecurity on loan from the University of Michigan for a year.

In June 2022, after he had left the role, Fu warned that the FDA lacked the staff or dedicated budget to tackle the growing cybersecurity problem.

What’s Next 

The FDA has said it won’t initially refuse devices solely on issues with section 542B, preferring to work with vendors on review. However, after October 1 2023, it will assume that vendors have had enough time to prepare their premarket cybersecurity documentation and will reserve the right to refuse to accept a device if the documentation doesn’t pass muster.

The requirements won’t apply to existing devices, focusing only on new submissions. That means devices introduced before the end of March this year could continue running for years without requiring cybersecurity update plans, especially if hospitals see fit to refurbish them to sweat their assets.

Regulations governing cybersecurity equipment are rarely retroactive, so the free pass for kits in the field is to be expected. Nevertheless, this is a big step in holding device vendors responsible for securing their devices.

You would have hoped that vendors would have held themselves accountable, but alas, no. Last year, the FBI warned about a plague of unpatched, insecure medical devices. The Bureau warned that these devices, including everything from insulin pumps to pacemakers, could be hacked to endanger patient health. It said over four devices in ten that had reached their end of life still had no security patches or upgrades.

Getting vendors to take this seriously is just one-half of the challenge. The other is getting healthcare providers to apply patches when they become available. Barely a third of healthcare providers know where all their devices are or when their end-of-life falls. Even if they do, patching sensitive life-preserving equipment is a challenging process. Still, one small step is better than none at all, we suppose.

Explore ISMS.online's platform with a self-guided tour - Start Now