Sign up for the QMED & MD+DI Daily newsletter.
A risk and regulatory expert breaks down the implications of a new law that goes into effect Wednesday.
Amanda Pedersen
March 28, 2023
7 Min Read
Image credit: Thierry Dosogne / Stone via Getty Images
FDA has previously released guidance on medical device cybersecurity, but it never really had teeth – until now.
Late last year, President Joe Biden signed a $1.7 trillion omnibus appropriations bill into law, which included authorization for FDA to confirm that medical devices meet specific cybersecurity standards before hitting the market. The law also requires medical device manufacturers to maintain adequate post-market surveillance from a cybersecurity standpoint, and addresses both device hardware design as well as device software, according to a report published by PwC. The legislation goes into effect tomorrow.
MD+DI sat down with Tiffany Gallagher, health industries risk and regulatory leader at PwC and one of the authors of the report, who helped us breakdown the implications of the new medical device cybersecurity requirements.
What is the current state of medical device cybersecurity?
According to studies cited in a September 2022 report on medical device cybersecurity published by the FBI, 53% of connected medical device and other internet of things (IoT) devices in hospitals had known critical vulnerabilities, and about a third of healthcare IoT devices have an identified critical risk potentially impacting technical operation and functions of medical devices.
Medical devices that are susceptible to cyberattacks include (but are not limited to) insulin pumps, implantable cardiac defibrillators, mobile cardiac telemetry, pacemakers, and implantable pain pumps. Hackers can potentially direct these devices to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.
Citing research from 2021, the FBI noted an average of 6.2 vulnerabilities per medical device, and recalls were issued for critical devices such as pacemakers and insulin pumps with known security issues, while more than 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades.
"The current state, as it relates specifically to medical device product security, is very immature," Gallagher told MD+DI. "This is a very important piece of legislation that we really hope will move the needle, specifically as it relates to med devices because you're talking directly [about] patients' safety."
The Medical Device Innovation Consortium (MDIC) published a medical device cybersecurity benchmarking report in October 2022, which came to the same conclusion.
"The cyber threat landscape is constantly evolving, with each innovation opening new threat vectors. This is as true for the medical technology industry as it is for any other, with the added concern of patient safety," the authors of the MDIC report wrote. "Our results indicate that while cybersecurity maturity varies significantly between [medical device manufacturers], the industry as a whole has a low level of cybersecurity maturity, especially concerning design control."
First comes life-cycle management
"Before you even get there, you need to know where your devices are and where they exist in the market, and that idea of having product life-cycle management is also not incredibly mature," Gallagher said. "... How do you track, how do you identify challenges within those assets that you have, when and how do you decommission."
Figuring those things out will be critical for manufacturers to focus on as they implement the medical device cybersecurity requirements under the new legislation.
While the law will apply to new medical devices going through FDA review, Gallagher said there is a need for organizations to take a step back and understand their current exposure to cyberattacks, because healthcare providers are beginning to reach out to manufacturers to ask questions about cybersecurity as it relates to existing products.
What should medical device manufacturers be doing now to get up to speed?
Gallagher and her co-authors note several steps in their report for medical device companies to get up to speed on cybersecurity:
Develop a vulnerability management plan. As part of the new legislation, manufacturers will need to continually update the software in their devices and remediate any security vulnerabilities. "So, now’s the time to develop a plan to monitor and address any risks (including access, configuration and hardware vulnerabilities) and establish a process to proactively disclose any security issues to the FDA," they wrote. "Product life-cycle management is a key activity to inform the vulnerability management plan."
Track your devices and software supply chain. "You’ll want to understand all your products inside and out, including what they do, their risk profiles, how they’re currently being protected, where they’re located and more," the authors note. "Going forward, you’ll need to know where any new devices reside if you’re going to patch and protect them. You’ll also need to update the software bill of materials for all connected products in your portfolio, including the third-party software embedded in your devices. Product life-cycle management should inform your procedures for discontinued products and technologies no longer supported."
Assess devices already in-market. "Manufacturers cannot simply gain approval without review based on an existing substantially-like product to bypass the requirements as they could previously," Gallagher and her colleagues wrote. They add that even with FDA's existing non-binding guidance, the agency has taken enforcement action under post-market surveillance, and recalls have taken place the last few years.
Understand your business strategy. "Given the additional cybersecurity compliance, you may now want to review your product portfolio, focus on core products or decide to phase out old ones or allocate more research and development dollars to cyber than you had before," the authors wrote. "Getting a handle on strategy, and how these rules might impact your business, should be a top priority."
They also encourage medical device manufacturers to consider their distribution strategy. "Over the years, manufacturers have sold units — often through sales intermediaries such as distributors — but haven’t necessarily kept track of those assets," they note. "That makes it much harder for manufacturers to monitor and patch software or even to plan phaseouts of old products, both critical steps to protect devices from attacks. This will have to change under the law."
Integrate compliance by design. "Start building security features directly into new product designs. Not only is that good practice — it’s much harder to add security into a product after it’s already built — but new device applications have to be submitted to the FDA that outline your cyber plans," the PwC authors wrote.
Reassess how you manage IT risk. "Consider harmonizing your IT risk management functions/processes to address both GxP and cyber, as well as potentially other (e.g., privacy, Sarbanes-Oxley Act) risks and controls," they noted.
"The first step is really like making sure you have a mechanism in place to track all your devices and going back to that product life-cycle management," Gallagher said. "And that becomes really important and a little bit complicated because it's not just the device itself but if those devices have software on them that's connected, having the bill of materials of what that software is becomes an important part of that broader product life-cycle management."
But it certainly won't be easy.
"This is going to be hard for the industry, because cybersecurity is hard, doing it on their devices is hard," Gallagher said. "I mean, there's not enough cyber talent ... cyber's just hard in general and ... tracking devices is going to be hard, you can't have down time.."
You've heard of design for manufacturability, now think 'design for cybersecurity'
Medical device R&D teams are already well-versed (or should be) in the concept of design for manufacturability, now they just need to get used to incorporating cybersecurity features into new product designs. As Gallagher and her co-authors noted in their report, it is much harder to add cybersecurity into a product after it's already built.
"Cybersecurity by design, or compliance by design, will be a key aspect there because you're going to have to show that to the FDA," Gallagher said.
There's a broad spectrum of risks manufacturers will need to think about ... building it all up front just makes perfect sense," she said. "And thinking about it in an integrated way, like, 'what are all the risks I'm trying to mitigate?"
Important milestones to be aware of
March 29: Amendments to the Food, Drug, and Cosmetic Act take effect. Applications submitted before this date are not subject to the new medical device cybersecurity requirements.
June 27: Based on submitted plans, FDA is expected to report on how companies are improving their medical device cybersecurity within 180 days of enactment.
December 29: The Government Accountability Office has to provide a report identifying cybersecurity challenges in the sector within one year of enactment.
Dec. 29, 2024: FDA has to provide updated medical device cybersecurity guidance for manufacturers within two years of enactment.
"FDA will look at everything that's been happening in the market, questions that are continuously coming in as well as what they're seeing around applications ... and be able to give that feedback back to the team or back to the group," Gallagher said.
About the Author(s)
You May Also Like
