Medical Device Cybersecurity: A Crucial Part of US Healthcare Cybersecurity Policy

The Biden administration’s Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, recently stressed in a Washington Post event the importance of cybersecurity in the healthcare, water, and communication sectors. “Pretty much last in the race,” this is how Neuberger characterized the United States’ implementation of minimum security standards for critical infrastructure.

The welcome news is that this problem has not been left unaddressed. The United States is already mulling a number of actions to address the cyber risks affecting crucial institutions and facilities. In particular, the White House plans to introduce new healthcare cybersecurity standards and guidance.

Medical device cybersecurity

Neuberger said that the United States Department of Health and Human Services has already started working with partners at hospitals to enforce minimum cybersecurity guidelines with further work being undertaken to secure “devices and broader healthcare.” The government acknowledges that significant risks exist because of the presence of digital and connected medical devices.

Medical device cybersecurity is a reality that organizations would have to face to protect sensitive data, their IT assets and infrastructure, as well as the lives of their patients. The Biden government appears committed to making sure that medical devices do not become the vulnerabilities that endanger healthcare IT facilities and threaten lives.

People remain to be the weakest link in the healthcare cybersecurity chain, but this does not mean ignoring the threats on medical devices until the human security weakness is fully resolved. Social engineering or people-targeted cyber assaults and attacks on medical equipment need to be addressed simultaneously. 

There is a pending bill introduced by Senator Rosen in May 2022 called “S.4336 – Strengthening Cybersecurity for Medical Devices Act.” It specifically addresses the risks of using outdated and insecure electronic devices in the medical and healthcare field. This legislation aims to require the Secretary of Health and Human Services to review and update guidance for the medical industry and FDA staff on the security of medical devices.

Additionally, the Rosen bill proposes that the FDA should share the relevant information it has accumulated with the public. The FDA is expected to publish a report that identifies the cybersecurity challenges for medical devices.

The Protecting and Transforming Cyber Health Care (PATCH) Act is also worth mentioning. This bill introduced by a bipartisan pair of senators, Cassidy and Baldwin, focuses on improving the security of medical devices. It intends to compel all premarket submissions for medical devices to reveal information about the cybersecurity protections installed or enforced in them. Devices will only be approved for market distribution if they are deemed secure.

Existing medical equipment cybersecurity regulations

It is unfortunate that the FDA appropriations bill passed in September without the provisions on cybersecurity requirements for medical devices. However, the silver lining is that legislators are aware of the threats to medical devices. Advocates for medical device cybersecurity are hopeful that the measure can be passed later on.

Nevertheless, there are already existing FDA standards intended to ensure medical device cybersecurity. Examples of these are UL 2900 and the IEC 62443. 

UL 2900 – Officially recognized by the FDA in June 2018, UL 2900 provides US medical device registrants, which include developers and manufacturers, a set of iterable tests that enable the generation of evidence to support cybersecurity claims for specific devices. These tests seek out vulnerabilities, malware infections, and software integrity issues among connected devices used in the medical setting. This standard was developed with pre-market and post-market security taken into account, and also factoring in the ANSI Technical Panels guidelines.

ISA/IEC 62443 – This industrial automation and control systems standard was recognized by the FDA in 2014 to guide medical device manufacturers in conforming to industry security benchmarks. It provides guidelines on how to establish a cybersecurity management system (CSMS) in automating the use of medical devices. It presents policies, procedures, practices, and the roles of personnel involved in setting up a CSMS for medical equipment automation and control systems.

It is encouraging for the United States Federal Government to take proactive steps toward ensuring healthcare equipment security. With the right people appointed to critical roles in managing the cyber threats targeting medical equipment and healthcare devices, these existing standards or guidelines can go a long way to 

An inconvenience for device makers?

Even with all the best intentions, there is reluctance over the government’s push to ensure medical device cybersecurity. Some device manufacturers as well as users consider the imposition of standards cumbersome or unnecessary. The removal of the medical device cybersecurity requirement from the FDA appropriation bill makes it amply clear that the resistance among device manufacturers and sellers is significant.

Under the previous paradigm, before the FDA standards and proposed legal requirements, the onus of making sure that the devices are operated securely is on the users, the hospitals, and other healthcare institutions. Things are gradually changing, as equipment manufacturers are slowly being forced to ensure the security of their medical devices before they offer their products to customers.

However, this should not be enough reason to oppose existing regulations and plans to include manufacturers as essential parties in establishing the cybersecurity of medical devices. There are available solutions that enable autonomous healthcare security and better healthcare service provider protection and visibility. 

These solutions allow medical device makers to keep up with their ever-increasing attack surfaces brought about by the wider use of the Internet of Medical Things. (IoMT), expand security observability, and make it easy to become compliant to cybersecurity standards and prescriptions. They do not need to formulate cybersecurity policies and schemes from scratch. They can take advantage of comprehensive cyber defense platforms that have been expertly built to handle the specific security requirements of organizations that offer medical devices to healthcare or medical institutions.

In conclusion

The American Hospital Association confirms that the healthcare industry is a top target for cybercriminals. Data show that security breaches involving health organizations increased significantly over the past few years. These breaches are not limited to data theft, which have been quite common. They also put patient safety at risk because of their potential to compromise the operation of medical equipment and shut down systems crucial to patient care.

Government attention on medical device cybersecurity is a welcome development. It benefits healthcare institutions and their patients. However, it is inevitable that some parties, especially among device manufacturers, have reservations over the compulsory cybersecurity guidelines for medical devices. This is not a solution-less problem, though, because medical device cybersecurity platforms exist, and they help resolve the difficulties on the ground.