As the healthcare industry faces growing cybersecurity threats, Senators Rosen and Young recently introduced a bill targeting one particularly concerning issue: The Strengthening Cybersecurity for Medical Devices Act would require the FDA to ensure medical devices are protected from hackers. Working with CISA and the GAO, the FDA would update policies, identify vulnerabilities, draft guidelines, improve coordination of resources – and conduct regular, biannual updates.
While the industry is prepared for new regulations, companies cannot afford to wait for Congress to act. Organizations must proactively improve their protections ahead of this legislation, rather than risking lives and businesses during a period of hyperaggressive attacks on medical targets.
A dynamic landscape
This all comes at a critical time for healthcare. Hospitals are shifting from pen-and-paper records to digital databases. Devices are now valuable for both the care they provide and the subsequent data they generate.
Yet these transformations have expanded organizations’ attack surfaces, exposing them to new threats. Beyond the danger of threats themselves, healthcare is unique in the degree to which those threats tangibly impact patient care and lives. The Ponemon Institute reported that nearly 25% of providers suffered increased mortality rates following attacks; 70% said attacks led to treatment delays, contributing to poorer outcomes.
How this bill makes a difference
The new bill could, for the first time, introduce much-needed guidance and rigor into securing and protecting devices. Understanding the risks associated with network-connected medical devices is critical in proactively managing and mitigating risk. Having more frequent guidance and understanding the resources made available by the government can reduce risk and help organizations build resilience. Security is critical in all phases of system development lifecycles, and everyone must do their part in understanding today’s threats, knowing the state of their security posture, and what actions must be taken to mitigate risk. This holds true for improved security architecture design by the manufacturers or the ability of a provider to patch vulnerabilities within a hospital network.
The bill is flexible, recognizing the ever-changing nature of cyber attackers and the need for regular review and updating. The potential downside of this approach is it lacks specificity, and it’s not clear how it will be enforced and what the penalties will be for non-compliance.
There are a few key elements to bring cybersecurity requirements for FDA-approved medical devices across their entire lifecycle — starting with requiring the pre-market approval of all components, including a Software Bill of Materials, continuing to post-market requirements for management of vulnerabilities, through to ensuring a secure decommissioning process. These requirements are designed to ensure medical devices are developed with security in mind, and maintained in a way that keeps patient and data safety a priority.
Get ahead of the curve
While this latest bill would provide welcome guidance for the industry, organizations shouldn’t wait to prepare: The time to establish proactive cybersecurity measures is now. Instead of reacting to cybersecurity laws when they arrive, organizations should proactively improve their practices and treat future legislation as validation.
The process of securing medical devices begins with several initial steps.
- Ensure full visibility: Organizations often underestimate their numbers and types of network-connected devices. Creating a robust map of connected devices is the first and most critical step in securing a network.
- Test and assess regularly: Cybersecurity is a journey, not a destination. As the bill suggests, regularly scheduled reassessments are critical to modern cybersecurity.
- Remain proactive and vigilant: Adopting a proactive, vigilant cybersecurity program will ensure the integrity and security of medical devices, as well as broader networks.
A new standard in medical device security
The Strengthening Cybersecurity in Medical Devices Act marks a welcome shift in medical device cybersecurity, with the potential to introduce unprecedented standards and rigor in ensuring the integrity of medical devices. This added enforcement will translate to peace of mind for patients, who can trust that medical device OEMs and owners have comprehensively secured their devices from the ground up, from manufacturing through implementation and operation.
As this legislation takes shape, however, it remains imperative that healthcare providers remain on the front foot with regard to their security, treating new legislation as validation of their existing approach, rather than an impetus for change.