Over the past decade, healthcare provider organizations have taken the brunt of protecting a vast and complex medical device ecosystem. And even the most well-equipped healthcare systems struggle (and haven’t) to address all medical device security risks.
But all that could change soon, at least for pre-market device submissions.
The $1.7 trillion Umbrella Package passed in December includes measures that give the FDA new powers to establish medical device security requirements for manufacturers, including the healthcare sector. has received overwhelming admiration from
Carter Groom, CEO of First Health Advisory, said the omnibus included “a long-desired FDA agency” previously excluded from ongoing resolutions. Some of these requirements for pre-market submissions are included in the Cyber Healthcare Protection and Transformation (PATCH) Act and have received broad support from industry stakeholders.
The last FDA appropriations bill passed in September without PATCH Act elements, despite overwhelming bipartisan support. This is a sign of the chagrin of his leader in medical device security. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act.
“Although watered down from the PATCH Act requirements, this is a huge step forward for the resilience of the health sector and ultimately for the safety of those who depend on the integrity and availability of medical equipment,” he said. Post-market medical device security advisor and member Groome said. of the Health Sector Coordinating Council (HSCC).
But even small steps towards healthcare cybersecurity can be huge benefits for provider organizations.
Specifically, the law gives the FDA $5 million and powers to ensure that all new medical devices that enter the market are designed with security in mind. This means that in the near future all medical device submissions will be required to include a software bill of materials and good evidence that the product can be updated and patched.
These submissions should also include a description of security tests and controls.
From an outsider’s perspective, manufacturers may appear caught off guard by the upcoming shift. But “neither the patch method nor he HR2617 is a surprise to anyone,” said Richard Staynings, a professor of information and communication technology, health informatics, and medical management at the University of Denver.
These vendors are “fully aware of what it takes to secure their products and should have been working towards these goals for years,” he added.
For Staynings, who is also chief security strategist at medical device company Cylera, including device requirements is “a very welcome development for the cybersecurity community, including many security vendors supporting healthcare.”
“These legislative changes should go a long way toward closing some of the holes in the targeting of healthcare that cybercriminals and pariah states have been doing for years,” Steining said. told to “The FDA is finally authorized to protect medical devices and other healthcare IoT.”
“Manufacturers must demonstrate to the FDA a ‘reasonable assurance and an effective security plan’ as part of their product submission,” he added.
As industry stakeholders watch the implications of the legislation unfold, including the potential for higher costs for manufacturers, SC Media spoke with Staynings to prepare for these sweeping changes. We discussed further what manufacturers should do now.
New authorities mean better security for medical devices
The law also empowers ongoing efforts to strengthen cybersecurity in healthcare through partnerships between the Department of Health and Human Services and cybersecurity and infrastructure security agencies, Steinings explained. increase.
Over the next two years, as risks and threats continue to evolve, FDA and CISA must work together to define these security requirements. Steinings aims to “combine his FDA domain expertise in medical device safety with CISA’s domain expertise to better protect medical devices from cyberattacks.” .
One drawback, however, is that much of the legislation focuses on premarket requirements. Part of it amends the latest FDA premarket guidance issued in April 2022.
While this is an important piece of the puzzle, Groom said it “isn’t a home run” because it continues the “legacy of non-binding recommendations.” to move beyond to a full set of requirements.
A low may not be a grand slam, but it’s a “double” for sure. Groome said there are implications for medical device security that were unimaginable a year or two ago, as manufacturers need to take more seriously monitoring, identifying and addressing post-market vulnerabilities. said he was thinking.
“Healthcare departments are expected to be better prepared to reduce the risk of device downtime, work more efficiently with manufacturers, validate baselines, and get patches and updates faster. I will,” he continued.
Maker asked for more skins in game, now it’s a requirement
The FDA has long pointed out that it is not waiting to address the patient safety risks posed by fragile devices. Even before these new authorities, government agencies have taken a number of steps to overhaul the current status quo, proposing a shift requiring the inclusion of SBOM in each device.
Some security leaders have expressed concern that many providers are not ready to fully leverage SBOM, but the risk assessment challenges facing these organizations today add to this. Consolidation will still have a big impact.
This means that by having to disclose the full SBOM, “manufacturers are no longer the single source of truth and, as a result, become a single point of failure,” says Staynings. SBOM supports the identification of commonly used vulnerabilities in applications and underlying operating systems.
For example, Windows XP is now embedded in many medical devices, even though it is no longer supported. The FDA, he said, has been requesting this information from manufacturers since 2018, but many manufacturers have “held back from providing full transparency for fear of disclosure to other manufacturers. I am dragging my feet.”
With the FDA now authorized to “require disclosure” of the SBOM, manufacturers who have resisted change will be forced to make changes to operate in the healthcare sector.
The agency may publish a date in the future outlining when manufacturers will have to comply with the new rules or risk sending devices back to fix the defect. As stated, it is unclear what will be done to current and recently approved devices.
Stayings explained that questions remain about how long the FDA will allow these devices to be manufactured and marketed, especially if they do not meet the new rules. It is also unclear how the FDA will handle “post-market manufacturer support for current and legacy systems and whether coordinated disclosure of SBOMs and vulnerabilities is required.”
These questions are likely to be resolved in future regulations, but Stayings believes that these market changes have been in progress for years, so it won’t take long to go public. The FDA also “had plenty of time to review the final version of the Patch Act from 2022 and consider how to implement the legislation’s requirements.”
“Manufacturers have spent years, if not most of a decade, preparing for these changes. Some people aren’t ready,” Steinings said. “They are likely to petition for a delay in enforcing the rule so they can continue to sell unsafe medical devices.”
“Unfortunately, the power of the medical lobby is such that late or negligent manufacturers may get away with it for some time, at the expense of hospital cybersecurity and patient safety,” he concluded. I got
