Yesterday the Food and Drug Administration (FDA) announced that as of Oct 1st, 2023, it would “refuse to accept” medical devices and related systems unless they meet its new cybersecurity requirements, which went into effect March 29th, 2023. These requirements are embodied in new FDA final guidance on its Refuse to Accept (RTA) policy relating to cybersecurity in medical devices, specifically for “Cyber Devices,” as defined in the newly-amended FD&C Act (Section 524B).
These powers come from the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022 and the provisions which were funded under the Consolidated Appropriations Act of 2023 signed into law on Dec. 29. Given the passage of both acts last year and growing demands for improved medical device cybersecurity going back at least a decade, this should come as no surprise to manufacturers.
Indeed, pre-market FDA security guidance prior to the new law has stipulated increased security requirements, though many manufacturers have not yet implemented this guidance. Under the new powers, improvements in cybersecurity and ongoing support of medical devices are now mandatory.
This decision by the FDA means that companies that develop medical devices will need to ensure that their products meet specific cybersecurity standards and are not vulnerable to hacking or other security breaches. For companies building medical devices, it is now a requirement that your device be built and secure by design, develop strategies to monitor and maintain the security of that device post-market and for the life of the device, generate and maintain a software bill of materials, and generate the required documentation proving you've done so as part of your FDA regulatory submission.
A New Era in Medical Device Security
The days of build, sell, and forget are now over. While some manufacturers were better than others about cybersecurity and ongoing patch support, others can be considered borderline negligent. The refusal to patch known highly vulnerable medical devices resulted in the FDA issuing its first-ever medical device recall in 2017 following the public disclosure of critical security vulnerabilities from hacking a St. Jude Medical cardiac defibrillator. St. Jude Medical had a long history of refusing to patch its insecure medical devices, and shortly after the disclosure, the company was sold to Abbott Labs, reportedly at a big discount.
Submissions to the FDA need to include a software bill of materials, which must contain all commercial, open-source, and off-the-shelf software components while complying with other FDA requirements “to demonstrate reasonable assurance that the device and related systems are cybersecure.” This allows healthcare provider security teams to immediately understand and react to their exposures when CVEs are published for individual software components rather than wait for medical device manufacturers to assess and publish their own vulnerability disclosures.
Device manufacturers will need to submit plans to monitor, identify and address in a "reasonable timeframe" any determined post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and plans.
“While the language here is vague and not specific, it's a big improvement over current arbitrary disclosure practices,” claimed Timur Ozekcin, CEO of Cylera.
Developers must now design and maintain procedures able to show, with reasonable assurance, “that the device and related systems are cybersecure” and create post-market updates and patches to the device and connected systems that address “on a reasonably justified regular cycle, known vulnerabilities,” according to the guidance.
If discovered out-of-cycle, the manufacturer must also make public “critical vulnerabilities that could cause uncontrolled risks,” as soon as possible.
“This appears to be weaker requirements than the originally proposed 30-day patch availability requirement, as is common for other software when critical vulnerabilities are discovered, but it's a lot better than the current situation,” added Ozekcin.
“These changes mark a much-needed improvement to the security of connected medical devices, but they don't cover the millions of legacy devices currently in use in our hospitals and clinics. Unless the FDA introduces rules to address these legacy devices, it may take many years before the healthcare industry's security is significantly impacted,” claimed Richard Staynings, Chief Security Strategist with Cylera. “Medical devices have an expected lifespan of between 8 and 20 years in some cases, so the security of these systems will more than likely be an issue till 2043 and that's too long,” he added.
While not all connected medical devices will develop security vulnerabilities, many will over the course of their lifetime and amortization schedule. What is needed is a way to identify medical and other healthcare IoT-connected devices better, understand their risks, and accurately profile devices so that software-defined networking (SDN) tools like network access control (NAC) can be used to segment and isolate potentially at-risk systems. AI-based tools like Cylera Command Platform automate this entire process, leading to the seamless orchestration of security policy across the healthcare network.