As technology rapidly evolves, cybersecurity has become indispensable in many industries. As the risk of cyberattacks infiltrates the healthcare industry, U.S. Congress is pressured to take action. As a range of medical devices — IV pumps, MRI machines, heart rate monitors — advance to be able to connect to digital networks, they are increasingly vulnerable to cyber-related risks.
Cybersecurity risks on the rise
Several factors contribute to the rise in cybersecurity threats to medical devices. Most straight forward being the influx of connectivity in the medical industry. More and more, medical devices are being designed to connect to the Internet and other digital networks. While there are numerous upsides to these technological advances, it opens the software — and with it, patients’ data — to a world of risk. Hackers can exploit vulnerabilities in software or network connections to gain access to sensitive data, or even take over the device itself. In these instances, product recalls can be particularly dangerous to the lives of patients as continuous usage of the device is not an option.
The concept of remediation must also be considered. At times, connected devices can be fixed with an over-the-air software patch. Given the nature of some devices and their criticality to a patient’s health, neither a software patch, nor recall are simple solutions. There’s also the consideration of heavy-duty equipment and apparatus installed at hospitals and medical centers that cannot easily be removed from their physical location; MRI scanners, X-ray and ultrasound machines to name but a few. As these devices become increasingly connected to hospital networks, they too become vulnerable to cyber threat. Where these cannot be fixed remotely with a software patch, then it typically necessitates the deployment of a field-engineer to inspect, diagnosis and fix on-site.
The possibility of recall is not solely contingent on an actual incident, but also on susceptibility to cyber-attacks. Pre-emptive vulnerability testing plays a pivotal role in identifying weaknesses in the security fabric of these devices, helping to mitigate the onset of incidents before they occur. Through ongoing assessment – and remediation of discovered exposure – healthcare providers and manufacturers can enhance the overall cybersecurity of critical medical equipment, reducing the risk of harm to patients and data breaches.
Medical device regulators are rushing to keep up with rapidly evolving technology. Even still, there are no standardized security regulations across the industry. Manufacturers, as a result, cannot design the products with a formidable security system, passing the responsibility to healthcare providers to do their best at evaluating their devices’ security. Many of the medical devices are built on legacy systems that were not designed in line with modern security standards. These systems may be especially vulnerable to cyberattacks and more challenging — and expensive — to update to protect against modern threats.
Congress allocates cybersecurity funding
Until the passage of recent legislation, the U.S. Food and Drug Administration (FDA) had no power to enforce cybersecurity guidelines. A bill signed into law December 2022 called the Consolidated Appropriations Act, 2023(H.R. 26217) — holding $1.7 trillion in discretionary resources across the fiscal year, the highest level of non-defense funding in American history — has the realest potential yet to curb cybersecurity threats. The omnibus appropriations bill is packed with funding for government programs and economic development of rural development and infrastructure, conservation, animal and plant health, agricultural and marketing research and more.
Among it, $3.5 billion is allocated to the FDA to address issues including the opioid crisis, medical supply chain issues, and yes — improving cybersecurity of medical devices. It also, notably, gave the FDA the authority to establish and enforce cybersecurity standards for medical devices for the first time.
How the Consolidated Appropriations Act can help
The Consolidated Appropriations Act contains several provisions targeting cybersecurity of medical devices, while increasing the FDA’s regulatory authority.
First, security requirements will be implemented at an unprecedented federal level. Manufacturers will be required to implement security controls that prevent unauthorized access to devices, ensure medical devices are accessible amid a cyberattack and protect patient confidentiality and data. Each manufacturer will be required to submit a comprehensive cybersecurity plan to the FDA to be reviewed for pre-market approval that will detail their procedures to ensure post-market software and firmware updates are available to consumers.
Measures will also require improved transparency and accountability from manufacturers. Now, manufacturers must report cybersecurity incidents to the FDA (as well as affected patients) within a specific timeframe and provide updates on the progress of remediation efforts and plans to prevent similar incidents from occurring.
Product recalls and remediation concerns due to cyber threats happen frequently, and as agencies (like the FDA) increasingly voice their criticisms of manufacturer decisions publicly, manufacturers must fall in suit and do things by the book to prevent public blowback. Consequently, there is more incentive to follow experts’ advice to establish recall and remediation plans that include how to respond to a product-related crisis. It’s also suggested that manufacturers engage in mock recall exercises as part of their risk management protocols.
Some provisions go beyond targeting only medical device manufacturers — such as one key provision that establishes a new center within the FDA dedicated to improving and coordinating cybersecurity efforts for medical devices. The Cybersecurity Center of Excellence will develop and implement standards and best practices, provide guidance to manufacturers and health care providers and evaluate device security. Importantly, this will create a bridge between manufacturers and the federal government to create a path forward in addressing cybersecurity concerns in the medical device industry.
Other provisions promote information sharing and cooperation among stakeholders; the FDA will be required to establish a public-private partnership to promote cybersecurity within the industry. The FDA will also be obligated to establish a new pilot program designed to assess cybersecurity vulnerability reporting and provide the agency critical data on risks.
The projected impact
Now that the FDA, manufacturers and healthcare providers will be required to work in tandem, issues involving lack of clarity or transparency issues may finally be resolved. On the manufacturers’ end, with the requirements to detail cybersecurity information in recall reports, ensure high-level security standards and report information to the agency, the FDA and healthcare providers will have a wealth of information to better understand cybersecurity risks associated with medical devices.
Conversely, requiring the FDA to provide guidance on post-market reviews, create a dedicated center to develop standards and establish the pilot program that targets vulnerabilities, manufacturers (and healthcare providers) will receive helpful knowledge that helps improve issue areas and lower the risk of product recalls.
When medical devices put patients at risk, swift action becomes critical. In addition to patient health, medical device recalls can have a devastating impact on a company’s brand and bottom line, and leave companies open to regulatory action and litigation. Sedgwick's brand protection experts provide decades of medical device experience — helping you develop, enhance, test and execute your product recall plans or remediation procedures.