New FDA cybersecurity standards are a paradigm shift in device security
Toughening of policy rules involving medical device manufacturing will lead to more accountability and give purchasers more leverage.
The newly enacted Food and Drug Administration policy changes target critical medical device security issues long-challenging device manufacturers and healthcare delivery organizations. As of October 1, new device submissions are required to be designed with security in mind and include a software bill of materials (SBOMs) to inform network defenders on the location of existing vulnerabilities.
Despite quiet pushback from some manufacturers, there’s a clear consensus that the new rules will shape the future of medical device and IoMT security in healthcare, although the full impact won’t be realized for years to come.
Healthcare’s cybersecurity hurdle
Medical device security is one of the biggest cybersecurity challenges facing the healthcare sector because of a complex ecosystem, a heavy reliance on legacy technology and devices, many of which directly touch patients that were simply not designed with security in mind. And it's the healthcare delivery organizations that have borne the responsibility of securing the device infrastructure.
But even heavily resourced health systems can’t meet the breadth of the task. By rejecting new device submissions that don’t bear in mind FDA cybersecurity standards, these new requirements will effectively begin the shift into a more secure healthcare infrastructure, overall.
Manufacturers will see the largest impact from these changes. The FDA is determinedly stating that they are enforcing accountability on the market, even if it’s onerous to vendors. The requirements include disclosing all known vulnerabilities, forcing manufacturers to evaluate the foundational software and hardware elements of their devices to ensure they are secure or designate a timeline for when they will secure those gaps.
The SBOMs will include a list of all these elements, which can enable the identification of vulnerabilities. For example, when a vendor finds and discloses a new vulnerability, the SBOMs would, theoretically, enable mature healthcare entities to better identify if the impacted software or hardware is used in one of their many devices.
These are designed to improve an organization’s ability to assess the vulnerability of devices by stating the precise build-state. The data is crucial to informing the needed recommendations for risk reduction strategies.
The effect on providers
The question remains – just how will providers be affected by these changes? The reality is not much – not without structured policies.
If an organization is fairly mature and secure, they’ll be able to use the SBOM information as described. The measure is good for risk reduction or for planning, as it can provide transparency with more helpful data to plan for and implement controls to remediate.
SBOMs can also be used for pre-procurement and defensible contracts around original equipment manufacturer expectations for security.
The problem is that the vast majority of organizations don't have those resources and efforts in place that would use the information. So, unless an organization has those dedicated resource departments to make use of this invaluable resource or access to an outside firm for support, they won’t see a benefit.
It’s time to overhaul contracts
The device-level impacts within the healthcare setting are minimal. But the policy and strategy elements are real.
To reap the benefits from these FDA changes, provider organizations should review their current contracting processes and outline the security measures required of contracted vendors – rooted in the FDA requirements for new device submissions.
The idea of using some kind of leverage in contracts to the medical device manufacturers is not new. Applied to contracting with device vendors, an organization can affirm that they will not buy from a vendor unless it meets contractual terms, service manuals and training.
Many organizations have already begun to leverage this approach in a way to force the hand of vendors and ensure they’re adhering to base level standards. Vendors may push back on these requirements, particularly those with specialized offerings. But in competitive markets like infusion pumps and patient monitoring tools, providers will have more leverage to insist on certain cyber requirements.
The FDA is not alone in its requirements. Cyber insurance companies are detailing the same rules. It stands to reason that organizations with leverage from purchasing groups that detail their minimum expectations can expect to see vendors positively respond to those requests.
Security leaders can also apply this to purchasing new products, ensuring that the devices are indeed new and not one that has been sitting on a factory shelf for a year. Contracts should specifically state that new stock is required, which will mean the latest drivers are installed. This will reduce the workload of IT staff, who will no longer need to update a whole fleet of devices before they’re put to use.
The FDA has planted its flag in cybersecurity requirements for the healthcare space. Manufacturers and provider organizations can expect to see more regulations moving forward, particularly as state and federal regulators keep privacy and security in focus in policy changes, enforcement, and executive orders. Providers should use these rules to demand better security from their manufacturers, as cybersecurity is patient safety.
Olin Dillard is executive vice president of clinical and operational technology for First Health Advisory.