Unveiling the Urgency: Navigating the Complex Landscape of Medical Device Cybersecurity

The clamoring for more cyber-secure medical devices is adding strain on manufacturers. Legacy products are particularly vulnerable to attack.

One company at the forefront of helping manufacturers improve product cybersecurity is MedSec, headquartered in Miami Beach, Fla. CEO Michelle Jump, MS, who spoke on medical device cybersecurity at MD&M West, shared some insights with MD+DI.

Why are hospitals and regulators raising the bar on medical device cybersecurity?

Jump: The focus on cybersecurity has been going on for over 10 years. The increased threat to the healthcare infrastructure started in 2016 with a major ransomware attack that hit half the entire hospital network in the United Kingdom, followed by other attacks impacting healthcare systems worldwide. Healthcare systems will continue to be targeted by both malicious actors and nation-state level cyberattacks because they are part of the nation’s critical infrastructure.

Why are medical device manufacturers at high risk for cyberattacks?

Jump: Medical devices often use existing platforms that are updated with new functionalities as they release new generations of devices. But we don’t typically overhaul the entire system. These devices are commonly built on operating systems that usually are retired before the actual medical device is decommissioned in the hospital, which creates a lot of unsupportable devices.

Related:A Guide for Cybersecurity Regulations for Medical Device Manufacturers

Older, harder-to-secure systems make securing them very difficult. You need to patch these systems frequently. They are also complex systems with many software components. Numerous vulnerabilities emerge in that software over time, creating a patching burden for the hospital. One hospital could have 6,000 different kinds of medical devices, so that’s a lot of maintenance. Patching them can interrupt the clinical workflow. In essence, medical devices tend to be vulnerable for longer than is ideal.

What constitutes a solid foundation of medical device security management?

Jump: The first pillar is secure design, followed by security risk management, which also includes threat modeling. Postmarket management for vulnerability monitoring and patching is also important.

Proper labeling is key as well. A lot of people disregard labeling as an important risk management activity. But good labeling means we have good communication between the manufacturer and the hospital for continuing cybersecurity support.   

What is FDA’s latest expectation of cybersecurity?

Jump: Last September, we received long-awaited final premarket guidance for cybersecurity from FDA, along with the Consolidated Appropriations Act of 2023 (Omnibus), which created our first statutory (or legal) requirement on cybersecurity, primarily focused on the postmarket phase.

Related:Does Your Medical Device Submission Adhere to FDA’s Cybersecurity Requirements?

So, right now, when someone puts in a submission, they are required by law to provide their plan for managing that product once it goes out on the market. This includes vulnerability monitoring, patching, and maintaining and understanding the risk of cyberattacks.

A big part of the premarket is security risk management, which includes threat modeling, whereby we look at a device and try to understand on paper how it could be attacked. This is combined with penetration testing, where you actually give the product to a good guy to see if he can break into it before a bad guy gets a hold of it. You may need to fix things that the good guy finds before it can go to market.

There has also been an increased focus on secure design. Appendix 1 in FDA guidance provides a strong outline of security controls and specific ways FDA wants to have those controls implemented on the device.

What are the greatest cybersecurity challenges for manufacturers going forward?

Jump: We are going to continue to have this legacy device problem. In some cases, certain device components are no longer supported by the manufacturer of the component and therefore no longer provide patches to new vulnerabilities. Thus, a lot of older devices are truly not securable anymore, but hospitals cannot afford to replace them all.

Related:GAO Urge FDA, CISA to Update Medical Device Cybersecurity Guidance Agreement