The March 29th FDA rule changes for the acceptance of new medical devices is a long awaited and major step in the right direction towards improving the security of medical devices. Finally, after more than a decade of pressure from cybersecurity leaders and healthcare providers, manufacturers of medical devices are to be held to a much higher standard of security design, manufacture, and support, of the devices they produce and sell, or lease to providers.
This includes the broader sharing of security information including a Software Bill of Materials (SBoM) of the components within each device and the testing and disclosure of any known vulnerabilities. No longer can manufacturers simply produce devices and move onto the next innovation. They now have a legal duty of care to support those devices they produce from now on. This change goes into effect on Oct 1st and sets a new standard of acceptance by the FDA. Devices submitted that do not adequately demonstrate adherence to the new requirements will likely be refused acceptance and will not be cleared for use.
The fact that the rules were published on the last Friday in March on the very last day that Congress stipulated in its Consolidated Appropriations Act of 2023, (signed into law on Dec. 29), shows just what a herculean task these rules must have been for the FDA and the very small team tasked with the security of medical devices. The size of that team looks to be expanded over coming months, but the government is not renowned for moving quickly so these rules were likely framed by the existing small team headed by Dr. Suzanne Swartz in the Office of Strategic Partnerships & Technology Innovation at CDRH. This is a group with a long history of dialog with manufacturers and healthcare cybersecurity leaders, with in-depth knowledge of both medical and cybersecurity concerns.
“I would expect there to be many more changes to the rules published by FDA over the next year or two as requirements are refined and clarified more definitively,” claimed Richard Staynings, Chief Security Strategist with Cylera and Adjunct Professor of Cybersecurity and Health Informatics at the University of Denver, who has been following these changes closely.
“The manufacturing industry has a long history of claiming not to understand many years of voluntary FDA Pre-Market Guidance, and so avoided making changes. I suspect that some will try the same approach now that the rules are mandatory,” suggested Staynings. “This reluctant approach to change, combined with I suspect, some real ambiguities despite the hurried best efforts of the FDA, will manifest itself in minor changes becoming necessary to the rules.”
Indeed, the FDA final guidance recently published, only impacts new devices being submitted for approval. The new rules fail to address those medical devices that are already approved and in use by medical providers. With a lifespan between 8 and 20 years, legacy medical devices will be a feature of hospitals and other providers for many years to come. They number in the millions, and many are considered a security risk in today’s already vulnerable connected digital healthcare networks.
Hospitals have proven time and time again that amortization schedules on medical and IT equipment are not to be overwritten by gaping security vulnerabilities unless severe patient safety risks can be demonstrated. This means that providers will need to continue to employ compensating IoMT security controls and widescale use of micro-segmentation of at-risk medical devices using network access control (NAC) and software defined networking (SDN), capabilities they already own though may not realize they do.
“I would suspect that in 2024, we will see additional FDA rules that provide increased security guidance on legacy devices and introduce new requirements for manufacturers.” Claimed Staynings. “At the very least this will need to include publication of SBoMs for legacy devices and vulnerability disclosures. It ideally should also require manufacturers to test and make security patches available for legacy devices, though mandating this retroactively on already approved devices may be difficult. Furthermore, the legal mandate behind rule changes, may need some level of amendment to the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022.”
The Importance of an SBoM
Despite being a vital step in the security of medical devices, publication of SBoMs is not a panacea, nor are SBoMs foolproof, they merely provide security teams with a better understanding of vulnerabilities when a component in a device is found to be vulnerable elsewhere. Given the widespread re-use of hardware and software components, and software libraries by developers and systems manufacturers today, this will be useful to some providers. Smaller providers, and those with less mature security teams will be unlikely to benefit from published SBoMs since they lack the depth and breadth of capabilities to do much about known vulnerabilities already. Small and ill-equipped hospital security teams are slowly going away however as health systems merge or take advantage of outsourced security specialists. “Knowing that a number of security vulnerabilities exist, and being able to do something about those vulnerabilities are two separate things,” claimed Staynings.
The New Manufacturer Paradigm
Over the next six months manufacturers of ‘cyber’ connected medical devices will need to evaluate the security of the devices they have in development to consider each’s overall security protections, to test each device for security vulnerabilities and to build and maintain improved security documentation including an SBOM and develop improved capabilities to support new requirements around security vulnerabilities disclosure. “This should not be ‘news’ to any of them given the passage of the PATCH act on March 15th 2022, over a year ago, or years of FDA guidance preceding the act. In fact, all manufacturers have seen the writing on the wall for quite some time”, claimed Staynings. “Manufacturers should examine the new FDA rules very closely and seek immediate clarification if they don’t understand fully, so that their devices are not refused acceptance come October.”
A Welcome Reset
"The passage of the new rules is a welcome reset for medical device security,” claimed Staynings during an interview with SCMedia. This has been one of several open backdoors to securing healthcare for quite some time, and with the growth in medical devices hitting 18% per annum in 2022 this is both a growing concern and gaping risk, that is now finally after much effort, being addressed by new FDA rules.