Get new exclusive access to healthcare business reports & breaking news
The U.S. Food and Drug Administration (FDA) team has issued new and enhanced cyber-security guidelines for internet-connected devices used by healthcare providers and hospitals.
The new set of protocol recommendations follows a series of guidelines the FDA has published over the years to help protect healthcare facilities, providers, and patients from growing cyber-security threats directed at medical devices.
According to a comprehensive Health and Human Services study covered by Forbes Magazine, cyber-security breaches reported by hospitals and other healthcare organizations have soared consistently between 2009 and 2021 at an eye-opening CAGR of 12.3%. IT and hacking incidents account for nearly 75 percent of these breaches.
In a statement, the FDA said that data breaches and cyber-security threats to medical equipment are increasingly worrying. According to the agency, this is especially true because small- to mid-sized hospitals are the biggest targets of cyber-attacks in the healthcare industry.
The team noted that cyber-security vulnerabilities in products that hospitals and providers use could be exploited, potentially threatening their effectiveness and safety. The impact on patient outcomes is even more disparaging.
The new FDA guidance aligns with the objectives of “Omnibus,” the Consolidated Appropriations Act, the $1.7 trillion federal spending bill that the Biden-Harris administration signed into law on December 29, 2022.
More specifically, the Act’s section 3305 and the newly added section 524B were specially enacted to strengthen the cyber-security levels of medical devices.
Under the non-legally binding guidance published at the end of March, medical equipment manufacturers are requested to provide a well-defined plan for identifying, monitoring, and addressing potential cyber-security issues associated with new devices for which they seek approval.
The FDA also recommends several cyber-security actions for medical device makers, including taking proactive measures to address cyber-security threats early, embracing a coordinated vulnerability disclosure policy, and implementing a comprehensive risk assessment plan.
Moreover, applicants seeking new medical device approvals must provide a framework for a process that offers reasonable assurance that their equipment is safeguarded with routine security patches and updates, including those designed to address critical cyber-security emergencies.
As of publishing, any cyber-security vulnerability in medical devices is seen as routine and can be mitigated with security patches or updates which wouldn’t necessarily have to be reported under the FDA guidance. However, hospitals, healthcare providers, and medical equipment makers must report any vulnerability that poses a health risk to the patient and compromise the device’s clinical performance.
The guidance also recommends how medical device companies should monitor & assess their internet-connected equipment once they have been green-lighted for marketing.
In the past, the FDA published guidance for makers whose medical devices are still in the development pipeline to help them design their equipment from the ground up with cyber-security in mind. The new direction builds upon these recommendations.
According to the new recommendations, companies are expected to submit the so-called software bill of materials (SBOM) to the FDA. The SBOM is a comprehensive stock-taking of all dependencies, libraries, and components that make up the software end of the medical device – it should include all the off-the-shelf, open-source, and commercial software components.
The FDA’s latest set of guidelines defines a ‘cyber device’ as a piece of medical equipment that includes software that is installed, authorized or validated by the manufacturer in a or as an internet-connected device with technological features that could be prone to cyber-security vulnerabilities.
Connected medical devices span different types of diagnosis machines such as X-ray, CT, MRI, ultrasound, PET, and various treatment methods like defibrillators, ventilators, radiotherapy, chemotherapy, and infusion pumps.
They also encompass other systems deployed for patient monitoring, management, pharmaceutical, and surgical functions.
Off-late, there has been a surge in automated pharmacy and robotic surgical systems, building management equipment like negative airflow providing HVAC systems, and surgery rooms with high cleanliness standards.
These connected medical tools also cover hospital rooms, elevators, CCTV, door locks, laboratories, and other building essentials crucial for a hospital’s well-functioning and safety. That’s why MedTechs are a vital part of the fight against cybersecurity threats on medical devices.
However you look at it, Modern hospitals feature a vast network of internet-connected medical devices, some of which contain significant cyber security vulnerabilities that most go unpatched for months, if not years.
These loopholes can serve as easy entry points for cyber attackers, enabling them to access the entire hospital system and execute more extensive operations, such as stealing sensitive patient information or using such medical devices to unleash ransomware attacks. The FDA guidance was explicitly created to address these situations.
The new document is a part of the $1.7 trillion omnibus spending bill signed by President Joe Biden in Dec 2022. The section 524B of the regulation also makes it obligatory for the FDA to re-evaluate and modify the medical device cybersecurity guidelines at least every couple of years.
The FDA published the new guidance document just a few months after Sonar security experts identified three potentially costly cybersecurity issues in OpenEMR- an open-source software tool for medical practice and electronic health record management.
Sonar security experts stated that the trio of OpenEMR’s cyber-security loopholes – namely Authenticated Reflected XSS, Authenticated Local File Inclusion, and Unauthenticated File Read – could be exploited by hackers to remotely perform unauthorized system commands and gain access to sensitive patient information.
In the worst-case scenario, hackers and other bad actors can compromise the whole OpenEMR-based critical healthcare infrastructure. The outcome can be devastating, potentially costing hospitals millions in lost business and reputational damage.
However, OpenEMR is far from the only medical device that’s susceptible to cyber-security threats.
KillNet – a well-known, notorious Russia-related activist group – has increasingly focused its efforts on mainly attacking U.S.-based healthcare apps that use Microsoft Azure infrastructure in recent times.
These vulnerabilities in widely-used medical products like OpenEMR and Microsoft Azure have evoked the long-standing debate on who is eventually responsible for medical device failure.
Multiple stakeholders and actors in the healthcare sector could be held responsible for vulnerable medical equipment.
As noted by HealthCare Weekly, for example, the physician who recommends or installs a vulnerable, faulty, or unfit medical device may face legal consequences if it suffers a cyber attack. Aside from healthcare providers, hospitals, medical device manufacturers, and even distributors or marketers may be held liable in a lawsuit in case of cyber-security issues.
The latest reforms in FDA’s medical device cybersecurity guidelines could save lives, given the significant efforts that cyber attackers make to breach into the healthcare industry.
Last September, a report by Proofpoint’s Ponemon Institute highlighted the nexus between cyber-attacks on healthcare organizations and higher mortality rates, making the need for foolproof cybersecurity more apparent in this industry.
The new guidelines issued by the FDA to protect internet-connected medical devices highlight the growing concern of data breaches and cyber-security threats to the healthcare industry. The document recommends a wide range of cyber-security actions for medical device makers, including identification and early mitigation of threats, a coordinated vulnerability disclosure policy, and a comprehensive risk assessment plan.
Ultimately, the FDA’s latest reforms in medical device cybersecurity guidelines could save lives and prove helpful in addressing the long-standing debate on who is responsible for the failure of medical devices.