Medical devices are a major weak point in health care cybersecurity, and both Congress and the Food and Drug Administration (FDA) took action to close that gap this week: Congress with a bill proposed bill and the FDA with new draft guidelines for device manufacturers on how they should build devices that are less likely to be pirated.
Devices such as infusion pumps or imaging machines that are connected to the Internet can be targeted. Those attacks can siphon off patient data or put their security directly at risk. Experts are constantly finding that devices in use today have vulnerabilities that could be exploited by hackers.
The FDA, which regulates medical devices, has been trying to get this problem under control for a while. In 2014, it published guidance for medical device manufacturers outlining how they should incorporate cybersecurity before asking the agency to approve their products. The agency then released a draft guideline in 2018. This new draft supersedes the 2018 version and is based on feedback from manufacturers and other experts and changes in the medical device environment in recent years, Suzanne Schwartz, director of the Office of Strategic Partnerships and Technological Innovation at the FDA, said the edge.
The new document is still just a draft, and device makers won’t start using it until it’s finalized after another round of feedback. But it does include some significant changes from the last version, including an emphasis on the full lifecycle of a device and a recommendation that manufacturers include a Software Bill of Materials (SBOM) with all new products it provides to users. users information about the various elements. that make up a device. An SBOM makes it easy for users to control their devices. If a bug or vulnerability is found in a piece of software, for example, a hospital could easily check whether its infusion pumps use that specific software.
The FDA also published legislative proposals around the cybersecurity of medical devices, asking Congress for a more explicit power to make requirements. “The intent is to allow devices to be much more resilient to withstand the potential for cyberattacks or intrusions,” says Schwartz. Manufacturers should be able to update or patch software problems without harming the function of devices, she says.
The FDA’s efforts dovetail with a bill introduced in Congress this week, the Cyber Health Care Protection and Transformation (PATCH) Act, which would codify some of the FDA proposals. The bill would require device manufacturers to have a plan to address any cybersecurity issues with their devices and would require an SBOM for new devices. If the bill passes, those items become requirements rather than just FDA-recommended guidelines.
“This would give us extra teeth,” says Schwartz. “This would really, for the first time, very explicitly establish authority in the area of cybersecurity and link it directly to medical device security.”
In particular, these new recommendations and legislation would apply primarily to new devices entering the market; they do not cover the millions of medical devices already in use in the United States. The FDA has guidelines, written in 2016, that outline how device manufacturers should control for potential cybersecurity issues in their existing devices that are already on the market. Schwartz says the FDA has no active plans to update that guidance, but it’s something the agency would consider.
The focus of the new draft guidelines and the FDA’s push to legislate on device cybersecurity is to make sure that new devices coming online are in better condition than those that have been on the market and have existing cyber security issues. “We want tomorrow’s devices to not have the same legacy problems we face today,” he says.