Modern medical devices in operating room showing FDA cybersecurity guidelines

More Cyber Rules From Industry-Specific Federal Regulators: FDA Issues Cybersecurity Guidelines for Medical Devices

New regulation from the Food & Drug Administration (FDA) is establishing cybersecurity guidelines for the country’s medical devices, continuing a pattern by the Biden administration of using industry-specific watchdogs to push an improvement in critical infrastructure cyber defenses.

The move follows the discovery of vulnerabilities in medical devices by a number of major manufacturers, BD and Zoll Medical among them. The FDA’s new cybersecurity guidelines will ask these manufacturers to submit more documentation about how devices are secured against digital intrusion and how they plan to respond when vulnerabilities are discovered.

FDA wants to see improved security-by-design for medical devices

Industry regulators are finding ways to bolster cybersecurity guidelines under existing authority, something that the EPA and TSA have also both recently done. The purpose appears to be the quickest possible improvement to cyber defenses in critical infrastructure industries, something that would either require an executive order (which could be challenged in court or repealed by a future administration) or the usual protracted wrangling in Congress.

In the FDA’s case, it is an amendment to the FD&C Act with a new section that governs the cybersecurity of medical devices. The new terms will have device manufacturers submit a plan with applications that demonstrates how they will monitor, identify and address cybersecurity issues, along with “reasonable assurances” that the device is protected from cyber attacks.

The cybersecurity guidelines also create new patching requirements for medical devices, and require that software in devices be documented by a software bill of materials that lists out the components and libraries it uses. The federal government is showing increasing interest in the use of software bills of materials after weathering vulnerabilities such as Log4J that can be buried deep in code and difficult to find every instance of, particularly when the software draws on open source elements.

Medical devices in particular are also becoming a cybersecurity focus after a string of vulnerabilities has been found in patient care equipment from major manufacturers. September 2022 research from the FBI’s IC3 found that a little over half of internet-connected devices in hospitals had “critical” vulnerabilities, including equipment vital to sustaining life such as defibrillators and insulin pumps.

Hospitals and patient care facilities have also become an increasingly popular target with ransomware groups, due to the perception that they cannot afford any downtime and are very likely to pay demands. Though some major studies show that ransomware as a whole was on the decline in 2022, research such as the Sophos State of Ransomware in Healthcare 2022 report finds that attacks on health care facilities doubled over the course of the year. The ransomware operators that remain in the market are also becoming more depraved in their pressure tactics, with the ALPHV group leaking the nude photos of breast cancer patients in March after breaking into a Pennsylvania hospital network.

Cybersecurity guidelines part of federal push to head off avenues of real-world harm

Hospitals, and particularly medical devices, create numerous opportunities to cause physical real world damage via a cyberattack. The first two deaths attributed to ransomware came as a result of hospital systems being tied up, delaying vital care to patients in a critical state for long enough that they passed away.

Ransomware attacks against hospital networks have been the main source of concern thus far, but individual vulnerabilities in medical devices could be exploited either as an extortion tactic or even for targeted attempts on the lives of specific patients. The 2022 FBI research found that medical devices currently on the market have an average of 6.2 vulnerabilities each, and 40% of the devices used in end-of-life care are not protected in any way.

Medical devices are also not the only source of concern, or need for cybersecurity guidelines. In early 2023, three serious vulnerabilities were found in a popular open source health records management app called OpenEMR.

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, additionally notes that internet-connected mobile devices in hospitals are also a point of security focus: “It is impossible to ensure cybersecurity for connected medical devices without securing the mobile apps that connect to and control them. These Digital Health mobile apps collect sensor data, process it for patient insights, recalibrate the medical device if necessary, and send it to healthcare provider portals for monitoring. Life-saving products can be created with this level of sophistication, but without robust security, they can be detrimental to the health of patients. It is important for apps to be designed to prevent abuse or exploitation on app stores and on patient mobile devices. It is so easy for malicious actors to download and inspect an app just sitting in the store. This is the equivalent of giving the opposing team your offensive playbook. The problem of on-device security arises from app developers relying on OS and platform security to secure their apps. However, if either is compromised, it is easy to compromise the app and the device. These are the two key areas where they risk being compromised by malicious actors, malware, and other threats.”

The new cybersecurity guidelines went into effect on March 29, but for now will only apply to new applications from that date on. Applications that were already submitted prior to that date will be grandfathered in under the previous rules until October 1, 2023. The cybersecurity guidelines might also be altered or even sunset in 2025, as the FDA is required to review these rules once every two years.

Device manufacturers will have some assistance in meeting the cybersecurity guidelines, however, as the FDA is also required to review its online resources at least once per year and update them to reflect the latest information about how vulnerabilities should be detected and addressed. The U.S. Comptroller General has also been tasked with developing guidelines for federal agencies to assist manufacturers and the health care industry in overcoming expected cybersecurity challenges.