Recapping Recent Strides in Medical Device Cybersecurity

It's tough to pinpoint the exact moment when people started to view connected medical device security with a sense of urgency. The pivotal event for many in the cybersecurity industry (and hopefully a few medical device makers) was in 2011 when security researcher Jay Radcliffe demonstrated how he could compromise his own insulin pump. Eyebrows were raised because it became clear to many that hacking medical devices would have profoundly different repercussions than stealing troves of credit card numbers.

Another big moment arrived nearly four years after Radcliffe's demonstration when the U.S. Food and Drug Administration (FDA) issued a warning stating that it may be possible to remotely access Hospira infusion pumps and gain control via unauthorized access. Another was in 2017 when the WannaCry ransomware globally hit the operational capability of medical devices, including blood gas analyzers and MRI scanners. 

Since then, the security of connected medical devices has been taken much more seriously, and security leaders in the healthcare industry are starting to see changes that have begun to shift medical device security in the right direction. "We're starting to make strides as an industry," says Martin Fisher, director of information security and CISO at Northside Hospital based in the greater Atlanta region. "There's been a lot of work within the healthcare industry to help influence the FDA and some manufacturers," Fisher says. 

Manufacturers Improving Medical Device Security

Much of that influence on connected medical device manufacturers has come from FDA regulatory controls and mandates crafted by guidance from healthcare providers and security experts. The FDA's premarket and postmarket device security guidance requires medical device makers to incorporate good security practices during device design, creation, and use in healthcare facilities. 

"There's been a lot of work within the healthcare industry to help influence the FDA and some manufacturers."

—Martin Fisher, CISO, Northside Hospital

"Medical device security is getting better because the device manufacturers are being forced to get better," adds Bill Pelletier, an embedded systems security architect at a medical device and software maker based in the northeast U.S. "But for the most part, when it comes to medical device security, [device makers] get it, although some more than others," Pelletier says.

Some of the efforts that the FDA and other influential organizations have moved forward aim to improve the inherent security of medical devices before they're shipped and improve the security and manageability of these devices for healthcare delivery organizations once they're in use.

A select handful of these milestones include:

• In 2014, the FDA issued regulatory requirements and guidance for manufacturers on premarket and postmarket medical device security, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. That initial draft guidance provided industry recommendations for medical devices regarding cybersecurity design and documentation the FDA wants to be included in premarket submissions for devices.

• NIST published guidelines and standards for medical device cybersecurity, such as Principles and Practices for Medical Device Cybersecurity. That NIST document details how to improve medical device safety, performance, and cybersecurity.

• In addition to encouraging medical device manufacturers to monitor and assess cybersecurity vulnerabilities and associated risks, the FDA expects manufacturers to disclose known vulnerabilities and provide ways to mitigate and fix the defects. 

• The FDA adopts a "refuse to accept" policy. In March of this year, the FDA issued its guidance "Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices Under Section 524B of the FD&C Act." The guidance mandates incorporating secure medical devices by design and provides recommendations for premarket submissions to ensure that marketed medical devices are resilient to digital attack. 

• The FDA also now requires new medical device applicants to submit a plan on how they will "monitor, identify, and address" security-related risks and create a process that provides "reasonable assurance" that devices are protected. Medical devices that the FDA "refuses to accept" will be kicked back to the medical device maker, informing them of security deficiencies in the submission that must be rectified before resubmission.

• In July 2023, additional government requirements were introduced to help secure medical devices. These requirements mandate medical device manufacturers issue software bill of materials (SBOMs) for each medical device they bring to market. 

Clearing the Way for Improved Medical Device Vulnerability Management

These efforts not only target the inherent security of connected medical devices but are also designed to help healthcare delivery organizations better manage their connected medical devices. For instance, in 2018, the FDA and the Department of Homeland Security (DHS) agreed to work together to improve the coordination between the agencies to defend medical devices from digital threats.

Fisher adds that steps the FDA has made will help to create new connected medical devices that are more flexible when securing these devices during their use within healthcare providers. "Think about the ability to load an endpoint detection and response agent on these devices, or how the FDA-certified stack is smaller, making it easier to integrate the device into a security program," Fisher says. 

One of the changes that helped to improve the speed at which medical devices could be patched to fix security defects was the FDA’s decision to no longer require medical devices to undergo a review as they do when a new device is brought to market. "The FDA has said that postmarket devices can be patched without [510(k)] paperwork," says Pelletier. But he added that the machines still have to undergo safety testing. 

“There is no ‘Get Out of Testing Free’” card here,” Pelletier adds. However, he does note that the level of testing for a cybersecurity-specific patch may be just as intense as for regulatory submission, depending on the device architecture.

Currently, the FDA sets the cybersecurity-specific patching requirements via its premarket and postmarket guidance documents, but does not test the devices themselves as they would do during a typical new medical device product submission. Healthcare delivery organizations remain responsible for testing the patched devices, per the manufacturer’s guidance.

One of the challenges with testing patches in medical devices, explains Pelletier, is that it can take weeks, even months, to test updates versus minutes within a traditional software development pipeline. It makes sense, as connected medical devices are complex systems with many interdependencies that, if everything's not running smoothly, can cause adverse effects on patients. "There's no way around the safety issues," says Pelletier.

The FDA's pre- and post-market guidance offer recommendations that experts expect will improve healthcare provider's ability to manage their connected medical devices. The FDA's "Postmarket Management of Cybersecurity in Medical Devices" guidance provides recommendations to the industry for structured and comprehensive management of cybersecurity risks. It emphasizes the importance of addressing cybersecurity throughout the product lifecycle, including during the device's design, development, production, distribution, deployment, and maintenance.

The FDA's draft guidance, "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," outlines the FDA's recommendations more clearly for premarket submission information to address cybersecurity concerns.

While the FDA's regulatory changes have been significant steps in the right direction, most have agreed that much more work must be done in the years ahead. "The problem is that there's so much tech debt in the environment and that these devices are costly, and many have an anticipated life of six to 15 years," says Northside Hospital's Fisher. "The legacy devices are going to be around for quite a while.”