In its most recent draft guidance to medical device makers, the U.S. Food & Drug Administration (FDA) detailed what the agency expects during the device premarket submission process. However, healthcare security and medical device security experts caution that it will be some time—perhaps decades—before these changes have a substantial positive impact on helping to keep healthcare delivery organizations secure.
The FDA's guidance updates Section 524B of the Federal Food, Drug, and Cosmetic Act. Important updates include defining what devices fall under compliance with Section 524B, specifically devices that can connect to the Internet and contain characteristics that make them vulnerable to security threats. The premarket cybersecurity guidance also details the information the FDA needs to determine that medical device makers can meet their obligations under Section 524B.
Those obligations include the medical device maker's plans to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits; the processes and procedures that the medical device maker has in place to provide reasonable assurance that the medical device and related systems are secure; the plans for the availability of postmarket updates and patches that will address security vulnerabilities; and the device maker must include a software bill of materials (SBOM) that lists third-party software components.
The updated guidance also defines devices that can connect to the Internet to include all of those that possess the following capabilities:
Wi-Fi or cellular;
Network, server, or cloud service provider connections;
Bluetooth or Bluetooth Low Energy;
Radiofrequency communications;
Inductive communications, and
Hardware connectors such as USB, ethernet, or serial ports can connect to the Internet.
The FDA also provided its expectations regarding a medical device maker's coordinated vulnerability disclosure plan, which must include the following:
Coordinated disclosure of vulnerabilities and exploits identified by external entities, including third-party software suppliers and researchers;
Disclosure of vulnerabilities and exploits identified by the manufacturer of cyber devices
Manufacturer procedures to disclose the vulnerabilities and exploits as identified.
A description of the timeline and procedures for the coordinated disclosure of vulnerabilities and known exploits.
The guidance also explains that medical device makers should create a schedule of regular updates for known "unacceptable" vulnerabilities and publish patches outside of the regular cycle for higher-risk situations that could pose additional risk to patient safety.
Healthcare security and medical device security experts say the actual impact on the security of healthcare delivery and medical devices will be slow coming.
David Brumley, offensive cybersecurity professor at Carnegie Mellon and CEO at software security firm ForAllSecure, says the regulations should help to improve the security of discrete medical devices and will continue to do so over time. He adds that it will also help to raise the importance of device security among device manufacturers. Still, much more work is required to improve the overall security of healthcare delivery organizations.
"These regulations are telling the companies that build these devices that security needs to be a top-level board-level issue," says Brumley. "We're going to start seeing security elevated to the same level as engineering," he says.
Medical device security expert Christopher Gates, director of product security at Velentium and author of the book Medical Device Cybersecurity for Engineers and Manufacturers, says the security regulations brought forward by the FDA regarding premarket medical device security will bring long-term improvements.
"For the most part, medical device manufacturers have ignored cybersecurity for the past 10 years. Now that it is mandatory and they will have to face it, they have not prepared, which has resulted in development teams that are largely ignorant of all aspects of cybersecurity, from technical to the regulatory requirements."
—Christopher Gates
"And I mean very long term, as more secure medical devices enter the field, the percentage of vulnerable devices will decrease, thus improving the overall security posture of the healthcare delivery organizations. But this process will take years, maybe decades," he says.
"For the most part, medical device manufacturers have ignored cybersecurity for the past 10 years. Now that it is mandatory and they will have to face it, they have not prepared, which has resulted in development teams that are largely ignorant of all aspects of cybersecurity, from technical to the regulatory requirements," says Gates.
Gates adds that because cybersecurity experts are so difficult to find, medical device makers' only viable option is to start training their existing development staff in medical device cybersecurity.
Brumley agrees any improvement will take a long time, mainly because the challenges healthcare delivery organizations face regarding security go far beyond the security of medical devices.
"If you think about all the different systems in a healthcare environment, such as patient record systems and associated peripheral systems, [and how they will continue to be attacked], medical devices will end up being collateral damage rather than direct vectors of attack," he says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.