Ransomeware and other forms of cyberattack have become a critical issue for businesses, governments, and individuals. Medical centers, hospitals, and various healthcare organizations are not recognized as major targets of these malicious and costly attacks. Once a ransomware attack has been unleashed, there is little that can be done stop it. Prevention is the most effective solution and that has prompted the FDA to prioritize medical device manufacturing cybersecurity.
Medical device manufacturers are not currently held to any pre or post-market requirement to address cybersecurity in their products. This opens up many vulnerabilities to hackers who can potentially access all types of connected healthcare infrastructure and individual devices. The perpetrators threaten to destroy or expose files, disable critical functions, and cause other harm if their demands are not met.
More Connectivity And Growing Vulnerabilities
The FDA is now turning to Congress to gain the legislative authority it needs to create more robust and cohesive medical device cybersecurity standards. The proposed adoption of the Software Bill of Materials (SBOM) would require a series of premarket submission standards for medical technology manufacturers.
As part of SBOM, new premarket submissions would need to include details on all device components. Manufacturers would also need to submit other provisions that guard against current and growing cyber threats.
Not only affecting the development and manufacture of new devices, the FDA aims to create standards that would require updating and patching capabilities for older devices. Although this would be a major challenge for manufacturers, legacy devices can be some of the most vulnerable to attack.
More Streamlined Risk Mitigation
SBOM’s requirements are designed to streamline risk mitigation on a large scale. By creating an electronic inventory of device components, including third-party parts, potential vulnerabilities could be identified and addressed by federal and private organizations. This would then make post-market mitigation efforts more focused and effective. For example, if a component is shown to be a likely target of current ransomware attacks, SBOM would not only enable manufacturers that use that component to address the issue, that information would also be available to hospitals, healthcare facilities, practitioners, and patients who could take appropriate action and reduce risk.
The FDA also wants the authority to require that med-tech manufacturers adopt coordinated vulnerability disclosure (CVD), which would consist of policies and procedures that share security weaknesses as they are identified. Although some manufacturers currently maintain such systems and release this information as a voluntary measure, the FDA aims to make this type of disclosure a requirement for all med-tech manufacturers, along with a more rigorous and methodological approach to device security.
What are your thoughts on the FDA’s approach to prioritizing medical device cybersecurity? Would these requirements impact your industry?
ABOUT The FDA
The Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices; and by ensuring the safety of our nation’s food supply, cosmetics, and products that emit radiation.
FDA also has responsibility for regulating the manufacturing, marketing, and distribution of tobacco products to protect the public health and to reduce tobacco use by minors.
FDA is responsible for advancing the public health by helping to speed innovations that make medical products more effective, safer, and more affordable and by helping the public get the accurate, science-based information they need to use medical products and foods to maintain and improve their health.
FDA also plays a significant role in the Nation’s counterterrorism capability. FDA fulfills this responsibility by ensuring the security of the food supply and by fostering development of medical products to respond to deliberate and naturally emerging public health threats.