Increased Scrutiny on the Cybersecurity of Medical Devices

Healthcare organizations rely on medical devices to help provide patient care and monitor patient health. Medical devices such as insulin pumps, intracardiac defibrillators, pacemakers, and mobile cardiac telemetry provide patients and providers with real-time data to help improve outcomes and the quality of the patient’s lives. However, those same devices can be putting your organization at risk of a cybersecurity incident including breaches of Protected Health Information (PHI) or possibly ransomware attacks on your entire network. Attacks on medical devices also have the potential to cause serious harm to your patients by causing the device to provide inaccurate information to the providers.

In September of 2022, the Federal Bureau of Investigation (FBI) issued a notification to the healthcare industry about the rising risk of vulnerabilities in medical devices. The FBI noted that medical devices are often operated in the default configuration and are difficult to patch when vulnerabilities are identified. Since these devices are integrated into a provider’s network, they may provide an easy entry point for a bad actor to access your network. The FBI notification noted that one study indicated there were an average of 6.2 vulnerabilities per medical device and more than 40% of the devices in use are at the end-of-life stage with little to no security patches or upgrades.

Emphasis on Medical Device Cybersecurity

Historically, medical devices were developed to perform specific functions without cybersecurity being a concern. To address this in 2022, the Consolidated Appropriations Act of 2023 (Omnibus) became law, adding medical device security requirements to the Federal Food, Drug, and Cosmetic Act (FD&C). The amendments to the law reinforce the Food and Drug Administration’s (FDA) focus on the cybersecurity of medical devices and its concern about devices putting patient medical data at risk and jeopardizing the security of healthcare networks.

The law applies to medical devices that meet the criteria of “cyber devices.” The FD&C Act defines a “cyber device” as a device that:

1. Includes software validated, installed, or authorized by the sponsor as a device or in a device
2. Has the ability to connect to the internet
3. Contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats

As of March 29^th, 2023, medical device manufacturers are required to provide information that demonstrates the cyber device meets the cybersecurity requirements of the FD&C Act in their premarket submissions to the FDA. The submission requirements are:

• Submit a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures
• Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure, and make available postmarket updates and patches to the device and related systems
• Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components

Between March 29^th and October 1^st, the FDA will work with manufacturers to resolve cybersecurity issues that are discovered. On October 1^st, 2023, the FDA will begin delivering “refuse to accept” decisions to manufacturers whose devices fall short of the cybersecurity requirements.

The requirements do not apply to medical devices submitted to the FDA before March 29, 2023. If a device was previously authorized, and the manufacturer is making a change to the device that requires premarket review by the agency, the law would apply for the new premarket submission.

Find more information about the premarket submission process here.

The FDA does have resources available to device manufacturers to help them design and develop equipment that has effective cybersecurity safeguards throughout its lifecycle, including the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and the Postmarket Management of Cybersecurity in Medical Devices.

How Healthcare Providers Can Protect Themselves

Ultimately, it is the organization’s responsibility to be sure the equipment they use is secure and not exposing it to potential HIPAA violations. Here are some actions healthcare organizations can take to improve the cybersecurity of medical devices:

• Include your medical devices when conducting risk assessments.
• Patch devices after patches have been validated, distributed by the medical device manufacturer, and properly tested.
• Establish and maintain communication with the medical device manufacturer’s product security teams to help stay current on patches.
• Assess inventory traits such as IT components that may include the Media Access Control (MAC) address, Internet Protocol (IP) address, network segments, operating systems, applications, and other elements relevant to managing information security risks.
• Implement pre-procurement security requirements for vendors. Target vendors that hold recognized security certifications such as HITRUST or SOC 2.
• Implement access controls for clinical and vendor support staff, including remote access, monitoring of vendor access, MFA, and minimum necessary or least privilege.
• Make sure your medical devices are not using the default vendor password.
• Make sure the Wi-Fi networks your devices use to communicate have good encryption and change the default passwords on all your Wi-Fi access points.

Organizations need to develop procedures to quickly respond to a medical device being compromised. Thoroughly train staff members so they know what’s expected of them. Establish clear plans of action for:

• Notifying patients if their medical devices are compromised.
• How patients can notify the organization if they suspect their medical devices are compromised.
• How to engage with the vendors or manufacturers of the device to better understand vulnerabilities, risks, and appropriate protection and response measures.

CompliancePoint’s team of experienced cybersecurity and healthcare professionals can help your organization design, implement, and manage an effective cybersecurity program. Contact us at connect@compliancepoint.com.