The US Food and Drug Administration (FDA) is set to end its grace period for medical device makers to comply with new cybersecurity regulations. Starting from October 1, manufacturers of medical cyber devices will be required to submit plans to monitor and patch post-market cybersecurity vulnerabilities, implement secure design and development processes, and provide a software bill of materials (SBOM) to the FDA. Failure to meet these requirements could result in the rejection of their devices due to the potential cyber risk they pose.
The FDA’s push for increased cybersecurity in medical devices is a response to the passage of an omnibus appropriations act in December 2022. This act included a section called “Ensuring Cybersecurity of Medical Devices,” which mandated that medical-device manufacturers submit cybersecurity information to the FDA. These new powers, which went into effect in March of this year, give the FDA the authority to enforce cybersecurity controls and hold non-compliant manufacturers accountable.
The issue of medical device cybersecurity has been a concern for experts for over a decade. In 2011, a demonstration showed that an insulin pump could be hacked, highlighting the vulnerabilities of these devices. Major ransomware attacks on hospitals have also exposed weaknesses in the healthcare system, leading to potentially avoidable deaths. In response, the FDA has allocated $5 million of its budget to medical device cybersecurity, recognizing the potential harm that cyber threats pose to the healthcare system.
Despite the growing awareness of the need for improved cybersecurity in medical devices, manufacturers have been slow to implement changes. In 2022, only 27% of manufacturers maintained an SBOM, and less than half utilized binary code analysis, a common countermeasure. The FDA’s new regulations aim to change this and force manufacturers to prioritize cybersecurity in their devices.
However, there are concerns that the new regulations may not go far enough. While the legislation outlines cybersecurity best practices, it does not provide specific details on how manufacturers will be held accountable or what powers the FDA has in enforcing compliance. Some experts suggest that the legislation should have created an industry board of experts to determine the best practices for securing medical devices. This would provide clearer guidelines for manufacturers and ensure a higher level of accountability.
Another issue that the legislation does not address is the presence of legacy devices. Many medical devices currently in use are outdated and lack the necessary cybersecurity measures. Claroty’s Ty Greenhalgh points out that the legislation focuses on new devices but does not provide guidance on how to handle existing legacy devices. This is a significant gap that needs to be addressed to ensure comprehensive cybersecurity across the entire healthcare system.
Despite these concerns, the FDA has made significant efforts to provide resources and guidance on medical device cybersecurity. The agency has developed an incident response playbook, a threat-modeling guide, and a best practices document for communicating cybersecurity vulnerabilities to patients. These resources aim to assist manufacturers in implementing effective cybersecurity practices and ensure that patients are informed about potential risks.
In conclusion, the FDA’s grace period for medical device makers to comply with new cybersecurity regulations is coming to an end. The agency is stepping up efforts to enforce cybersecurity controls and hold non-compliant manufacturers accountable. While the new regulations are a step in the right direction, there are concerns about their effectiveness and lack of specificity. The issue of legacy devices also remains unresolved. Nevertheless, the FDA’s commitment to improving medical device cybersecurity and providing resources for manufacturers is a positive development that will contribute to a more secure healthcare system.