What’s next for medical device cybersecurity?

Concerns about medical devices being hacked are nothing new. Before he assumed office in 2001, Dick Cheney had already suffered four heart attacks and had had a defibrillator installed to prevent a fifth. But, when it came time to replace that medical device in 2007, then-Vice President Cheney’s medical team instructed the device manufacturer to disable the wireless feature that doctors feared could be used to shock his heart into cardiac arrest.

“It seemed to me to be a bad idea for the Vice President of the United States to have a device that maybe somebody on a rope line or someone in the next hotel room or downstairs might be able to get into, hack into, and I worried that someone could kill you,” Cheney’s doctor told him on a 2013 episode of “60 Minutes.”

In its research, Cyber SecurityWorks (CSW), a New Mexico-based cybersecurity firm, investigated more than 800 products made by 56 healthcare-sector device manufacturers. CSW identified 624 vulnerabilities that spanned the devices. Of those 624 vulnerabilities, 43 were weaponized.

CSW went on to say that six of the vulnerabilities that they found in healthcare products and medical devices could be exploited to hurt or even kill patients.

According to IBM Security’s 2022 Cost of a Data Breach Report, the average cost of a healthcare breach has hit a new record high, US $10.1 million, in 2022. In fact, IBM Security research shows that breach costs in healthcare have been the highest among industries examined, for each year since 2011.

That’s causing insurers to be more reluctant in offering coverage for those breaches, healthcare costs to rise, and new regulations and guidance to emerge.

Medical device security challenges breed action

Recent increases in cyberattacks have drawn the spotlight to the vulnerabilities that live in the attack surfaces of healthcare organizations. Beyond the privacy, confidentiality, and physical safety objectives that healthcare regulation has focused on historically, there’s an emerging focus on improving cybersecurity itself in medical devices.

And the cybersecurity ecosystem of medical devices is vast, complex, and challenging. As Phil Englert, Director of Medical Device Security at the Health-ISAC said on a recent episode of the IoT: The Internet of Threats podcast, “If you look at a medium-sized healthcare organization, they’ll have almost 100,000 devices and maybe 20% of those are connected to the network. That might represent 350 different device manufacturers, 1,200 makes and models of devices,” he said. “It’s very difficult to classify and quantify and put programs in place to manage the risks around these devices and that complexity is stifling to the organization,” he concluded.

It's that complexity—and the enormous amounts of resources needed to confront these risks—that has attracted the attention of lawmakers and regulators, with initiatives such as:

PATCH Act

Earlier this year, politicians from both parties introduced legislation in both the House and Senate to improve cybersecurity around medical devices.

The PATCH Act (the Senate Protecting and Transforming Cyber Health Care) proposes granting the Food and Drug Administration the ability to implement certain cybersecurity requirements when medical device manufacturers seek premarket approval for their devices.

The PATCH Act looks to create baseline cybersecurity controls that device manufacturers must have in place when they apply for FDA approval. The Act also calls for device manufacturers to watch for and act on vulnerabilities that emerge after their device hits the market.

Among these proposals, the PATCH Act would also require device manufacturers to create a software bill of materials (SBOM) for their devices, which would list the components within the devices, including off-the-shelf, open-source, and commercial software, and disclose vulnerabilities that could impact the safety and effectiveness of their devices.

As of August 2022, the legislation remains live in Congress, but has not passed in either the House or Senate.

Evolving FDA Guidance

The FDA drafted cybersecurity guidance in 2018, as an update to pre-market guidance issued four years earlier and supplemented by 2016 post-market guidance. All of this is built upon an earlier document dating from 2005, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.

Despite the work and effort invested into that 2018 draft, the pre- and post-market guidance contemplated within it and aimed to improve medical device cybersecurity remain, more than three years later, a draft.

The FDA took up the updating of the guidance again in 2022, by soliciting comments from the medical device cybersecurity community through July 7. This round of draft guidance, called

“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” has as its goal, to ensure “medical device safety and effectiveness” by requiring “adequate medical device cybersecurity.”

“As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful,” the FDA advised in an April 8, 2022 notice.

The 2022 draft guidance replaces the 2018 draft guidance and focuses on integrating cybersecurity throughout the total product lifecycle (TPLC) of connected medical devices and advises the use of a secure product development framework (SPDF) in their manufacture. It also mirrors the 2020 guidance issued by the International Medical Device Regulators Forum (IMDRF).

The 2022 FDA guidance departs from previous guidance in:

• Integrating a TPLC approach to connected medical device development
• Enhancing the amount of premarket information the FDA receives for review
• Increasing the transparency of device information that customers will see

This last bullet is important.

Among the requirements of the 2022 guidance is that medical device manufacturers must document all the software components a device contains through an SBOM. In cases where a manufacturer doesn’t have access to a third-party’s source code, they must disclose how they can update or replace that source code if needed, in addition to its required plan to address known vulnerabilities, a carry-over from the FDA’s 2014 requirements.

As of this writing, the FDA has collected comments on the draft guidance document published earlier this year, but has not yet issued or implemented its final guidance. “This draft guidance is not final nor is it for implementation at this time,” the FDA clarifies on its website.

What do we do about medical device cybersecurity?

A month ago, we hosted two members of the Health-ISAC’s leadership team on Finite State’s podcast, IOT: The Internet of Threats. The Health-ISAC, or the Information Sharing and Analysis Center for the health sector, promotes the sharing of information about attacks, incidents, and vulnerabilities among member organizations to better protect their member network against emerging threats.

On that episode, we explored the impetus behind the healthcare sector’s increasing focus on improving the cybersecurity controls that protect the devices that millions of people rely on every day worldwide. But, whether healthcare companies are coming to realize and act on the need for better medical device cybersecurity on their own or through the shifting winds of the regulatory environment, the underlying direction is clear.

While the PATCH Act and the evolving guidance from the FDA perhaps stop short of producing a sea change in medical device cybersecurity, they clearly indicate a greater willingness among regulators and lawmakers to step into the cybersecurity realm, at least when it comes to medical devices.

But while healthcare regulation evolves beyond its past focus on medical device safety, data privacy, and patient privacy to include cybersecurity, the need for solutions that can accurately see deep into medical devices is clear and present right now.

To start, SBOMs represent the first step that medical device manufacturers need to get continuous visibility into their product supply chain risk. After all, if you don’t know what you have inside your product, you can’t assess, improve, or mitigate its vulnerabilities and threats. Without that knowledge, you can’t begin to prioritize remediation efforts, respond to new threats, or create the kind of product security program that emerging guidance envisions.

With the world’s largest device intelligence database, the Finite State platform has the intelligence and visibility to empower product security teams to discover, assess, prioritize, and respond to vulnerabilities and weaknesses within their connected medical devices. Finite State helps clients manage their connected device risk by being that single pane of glass that sees into their devices, manages risk, streamlines incident response, and manages their vulnerabilities.

It's IoT and product security risk reduction that strategically enables the business.