On December 29, 2022, the 2023 “Omnibus” or Consolidated Appropriations Act was signed into law. Section 3305 of the Omnibus, “Ensuring Cybersecurity of Medical Devices” amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. The Omnibus amendments to the FD&C Act went into effect on March 29, 2023.
The new legislation authorizes the Food and Drug Administration (FDA) to require medical device manufacturers to take measures to include security by design or add cybersecurity protections to their products before they are brought to market. The requirements for cybersecurity design and best practices will apply to all future medical devices on the market, and the Government Accountability Office is tasked with gathering and reporting on challenges to the adoption and implementation of the legislation’s requirements.
Below, we cover what’s changing, what’s in the new regulations, what medical devices are at risk, and guidance for implementing the NIST Cybersecurity Framework.
What’s Changing in the Regulations?
The secretary of the FDA will continue working within public-private partnerships to incorporate sector-specific feedback from manufacturers, healthcare practitioners, consumers, affected third parties, and any additional stakeholders. The Omnibus amendments have the potential to provide precedence for regulations across all internet-of-things type devices and technologies. The most significant feature of the legislation is the broad mandate to provide security before products are brought to market, and to adequately address security issues that arise during the device lifecycle.
Device manufacturers are required to submit a plan to the FDA within 90 days of the bill’s enactment, that includes plans to monitor, detect and remediate vulnerabilities and exploitation through vulnerability disclosures, information sharing and incident response plans; ensure devices they manufacture include secure by design features, offer updates and patches when software vulnerabilities are discovered and disclosed, and provide a full software bill of materials for all components in each device – including commercial/proprietary, open-source, and off-the-shelf or third-party software components.
The legislation also increases government requirements, including tasking the GAO with report writing and review, a requirement to publish guidance on the content of premarket submissions for management of cybersecurity in medical devices, public resources on improving cybersecurity of devices, and issuance of a report by the Comptroller General of the U.S. to assess “challenges for stakeholders in accessing federal support to address vulnerabilities across federal agencies; how federal agencies can strengthen coordination to better support device cybersecurity; and, statutory limitations and opportunities for improving device cybersecurity.”
The addition of section 524B creates a new category for device manufacturers to compete in – cybersecurity. Though the exploitation of devices will have a lot to do with the networks and environments they are deployed in, the requirements here will begin to address specific security considerations for the industry rather than provide generic, blanket guidance to an entire sector. It is a move in the right direction for the pursuit of outcome-based cybersecurity regulation. We will be able to review its progress over time and take away key learnings in how devices are designed, brought to market, and deployed. Unfortunately, it will not alleviate the concerns for currently deployed insecure devices and legacy technologies.
“Cyber devices” in the Omnibus legislation broadly includes “software validated, installed, or authorized by the sponsor; the ability to connect to the internet; and contain any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.” This definition encompasses the internet of medical devices (IoMT) – including “smart,” internet-connected technologies, diagnostics, monitoring, and wearable devices, insulin and pain management pumps administering medications, mobile telemetry devices, certain pacemakers, cardiac defibrillators, and more.
However, even with baseline security measures and best practices, focusing solely on device security will not alleviate all healthcare sector cybersecurity concerns. The device-specific measures for manufacturers are tackling device and endpoint security and may also produce better data security by limiting access and exploitation capabilities. However, large networks that deploy many thousands of vendor devices at scale have other complexity issues within network security, zero trust, and network segmentation that also require attention to prevent worse case scenarios.
What’s at Risk in Healthcare?
Cybersecurity for operations and facilities is arguably most important in the hospital setting where critical populations gather, and the safe movement of resources, equipment and personnel is essential. Major companies and providers struggle to manage massive campuses – some the equivalent of small cities – serving millions of patients each year and employing tens of thousands of people.
Legacy technologies in healthcare are ubiquitous, expensive to replace, and susceptible to exploitation from well-known cyber-attack tactics and a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many run outdated software such as Windows XP and Windows 7 and have limited mechanisms for applying critical patches and updates. Resources limit the ability to track, secure and continuously fortify each component of legacy medical technology in use today.
- 75% of infusion pumps studied had at least one vulnerability or threw up at least one security alert
- Imaging devices, such as X-Ray, MRI and CT scanners were particularly vulnerable, with 51% of all X-Ray machines exposed to high-severity Common Vulnerabilities and Exposures (CVE-2019-11687)
- 44% of CT scanners and 31% of MRI machines were exposed to a high-severity CVE
- 20% of common imaging devices were running an unsupported version of Windows
HHS Guidance for Implementing the NIST CSF
Concurrently published in March 2023, the U.S. department of Health and Human Safety (HHS) released its “Health Care and Public Health Sector Cybersecurity Framework Implementation Guide.” The guide is a non-binding publication to assist hospital and healthcare providers and facilities with implementing the NIST Cybersecurity Framework (CSF).
As HHS explains, “organizations need a practical approach for addressing cybersecurity challenges. Boards and executive management want better insight into how cybersecurity management decisions are made.” The HHS Guidance covers 5 key categories for boards to consider:
- Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
- Understand the legal implications of cyber risk as they apply to the company’s specific circumstances
- Ensure they have adequate access to cybersecurity expertise and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
- Set the expectation that management will establish an enterprise-wide cyber-risk management framework
- Include identification of which risks to either avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach, in discussions of cyber risks between the Board and organizational management
Monitoring and visibility are key today to reduce the dwell time for threat actors and the level of damage they can do in medical and healthcare systems, networks, and environments. It is also necessary for root cause analysis to determine whether an issue is caused by a cyber threat actor, equipment malfunction, misconfiguration, or a ransomware situation. It is more important than ever, given recent survey responses indicating that medical device manufacturers themselves say a top security challenge is “managing a growing set of tools and technologies, partly explained by the lack of high-level ownership.”
A trusted and responsible cybersecurity leader has four things to consider for building a mature security program:
- Network status: it’s often parroted that you cannot protect what you cannot see, but you also cannot investigate any mishap or accident to understand the root cause of a cyber incident without a dynamic, real-time status map of the inventory of machines and computers communicating in your environment
- Product vulnerabilities: vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies. Some vulnerabilities have limited scope in that they only apply to a few types of software features or interfaces and others may have additional compensating controls which mitigate their severity.
- Threat actor capabilities: for many medical devices, the primary attack surface is their default credentials over SSH. Once the attacker has gained entry, they will check to determine the underlying operating system to decide which payload to install on the system, often to deploy a botnet attack.
- Data rich, information poor: behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Continuous monitoring and analytics help security leaders diagnose the root cause of unexpected operational changes and deviations from baseline behavior.