Federal Mandates on Medical-Device Cybersecurity Get Serious

  /     /     /  
Publicated : 23/11/2024   Category : security


Federal Mandates on Medical-Device Cybersecurity Get Serious


In October, the US Food and Drug Administration will start rejecting medical devices that lack a secure design or a post-market cybersecurity plan.



For six months, medical device makers have had to comply with new cybersecurity regulations aimed at hardening medical devices against cyber attacks, but the US Food and Drug Administration has largely refrained from using its refuse to accept power up to now. 
On Oct. 1, the FDAs grace period — during which the agency stated it would try not to use its ability to reject medical devices that lack appropriate cybersecurity controls and a post-market patching capability — will end. The manufacturers of medical cyber devices must now submit plans to monitor and patch post-market cybersecurity vulnerabilities, have a process in place for the secure design and development of devices, and provide a software bill of materials (SBOM) to the FDA. Those who do not satisfy the requirements could have their devices rejected on the grounds that they pose too great a cyber risk.
The agencys focus on medical-device cybersecurity stems from Congressional passage of an omnibus appropriations act in December 2022 that included a section,
Ensuring Cybersecurity of Medical Devices
, requiring medical-device manufacturers submit cybersecurity information to the FDA regarding any cyber device. The powers granted to the FDA,
which went into effect in March
, could go a long way toward forcing the makers of medical devices to consider and plan for vulnerabilities and cyberattacks, says Ty Greenhalgh, industry principal for healthcare at Claroty, an IoT security firm.
This legislation addresses specifically that you have to do something about patching and updating on the new devices, and how are you going to get patches and updates out over the lifecycle in a reasonable time, he says. The way this is set up, its given broad authority for interpretation to the FDA on what it takes to get medical devices cyber-secure and what are the penalties, if you are not compliant with their interpretation.
Medical devices have concerned cybersecurity experts for more than a decade, with
a demonstration of the ability to hack an insulin pump
stripping away many illusions of security in 2011. Major ransomware attacks on hospitals have laid bare the weaknesses and consequences, with the US Department of Health and Human Services estimating that slowed response times and patient triage led to
as many as 36 more deaths per 10,000 heart attacks
.
Yet medical devices manufacturers have been slow to change. In 2022, only about a quarter of manufacturers (27%) maintained an SBOM, while
less than half (47%) took even the most common countermeasure
: Binary code analysis.
The FDA, which allocated $5 million of its budget to medical device cybersecurity, could change that.
Cybersecurity exploits are one of the most substantial threats faced by this nation, and the impact is particularly harmful for our health care system, where vulnerabilities could compromise entire hospital systems or disrupt manufacturing of countless devices if they are impacted, the FDA
stated in its annual appropriations estimate
. Ultimately, these threats are of national security concern because if they go unchecked, they could cripple healthcare delivery.
The US Food and Drug Administration has pushed for more cybersecurity in medical devices for more than a decade, outlining
cybersecurity best practices for network medical devices
in 2005 and publishing
draft guidance to manufacturers
in 2016. Cyber devices are defined as those with software, an ability to connect to the Internet, or having a technical component that could be vulnerable to cybersecurity threats.
Putting these new requirements into law is a first step, but is far from being an answer in and of itself, says David Brumley, a cybersecurity professor at Carnegie Mellon and CEO of software security firm ForAllSecure.
Were building a muscle at this point, and that muscle isnt gonna allow us to lift this open-source [security] weight yet. But if we dont start building this muscle we wont be able to in 20 years, he says. I just wish that they took it a step further, to say how theyre going to hold people responsible, and what powers they have to hold people responsible.
While the government has correctly avoided prescribing technological measures in law due to rapidly changing technology, the legislation could have created a board of experts to determine the best practices for securing medical devices, says Brumley.
If you dont want the government dictating exactly how you should do things, because that can be slow and bureaucratic, then you should have an industry board that says what [the best practices] are for a practitioner, he says. Brumley points out engineers building bridges have industry- and government-prescribed standards and codes to follow for due diligence, and could be found negligent if they dont follow them. These requirements are so vague that you could do basically nothing, other than maybe running an SCA (software component analysis) scan, and you would satisfy the legislation.
In addition, the law does not have a component that addresses the legacy devices out there, which are among the most vulnerable, some of which are 15 years old, adds Clarotys Greenhalgh.
This legislation is designed to start addressing the problem, but even if you are plugging the hole in the boat ... its not really clear in the legislation what are you going to do about the legacy devices, he says.
The FDA has
significant resources on cybersecurity in medical devices
, including an incident response playbook, a threat-modeling guide, and a best practices document for communicating cybersecurity vulnerabilities to patients.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Federal Mandates on Medical-Device Cybersecurity Get Serious