Exploring the Value, Limitations of Medical Device Security Legislation

May 25, 2022 - Recently introduced medical device security legislation such as the Protecting and Transforming Cyber Health Care (PATCH) Act, the Food and Drug Administration's (FDA) medical device security provisions within its user fee legislation, and a plethora of industry guidance within the past year signify a positive shift in the healthcare sector. Industry experts and legislators are increasingly prioritizing medical device security.  

Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and naturally pose security risks. Ongoing struggles with securing and keeping track of medical devices, the industry's reliance on legacy systems, and an increased focus on cybersecurity at a federal level have prompted legislative action.

The introduction of medical device security legislation is a significant step forward for healthcare. The legislation could revolutionize how manufacturers secure devices at the premarket stage and how they roll out patches and vulnerability disclosures.

Of course, legislation alone will not solve healthcare's medical device security problems. Healthcare organizations cannot afford to wait years for legislation to be passed and implemented. The sector must address today's most pressing medical device security concerns in real-time. 

In the following sections, HealthITSecurity will provide a brief overview of recently introduced legislation along with tips for what organizations can do right now to secure their medical devices.

New Medical Device Security Legislation: A Step in the Right Direction

In April 2022, US Senators introduced the PATCH Act with the intention of ensuring medical device security at the premarket stage. 

If passed, the PATCH Act would "amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes," the bill stated.

Companion legislation was also introduced in the House of Representatives.

The Act would enable the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the FDA and require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices.

Manufacturers would also have to create a thorough plan for addressing postmarket cybersecurity vulnerabilities promptly. In addition, manufacturers would be required to develop a software bill of materials (SBOM) for their product and its components.

SBOMs are beneficial because they make it easier to monitor vulnerabilities, communicate risks to users, and help developers understand dependencies across components.

In 2018, the FDA released SBOM market guidance, putting pressure on manufacturers to implement SBOMs. Although the healthcare sector is spearheading SBOM adoption, a lack of transparency and communication appears to be stalling progress, a Linux Foundation report found. The PATCH Act could be the push that the industry needs to increase SBOM adoption.

In addition to the PATCH Act, recently introduced FDA user fee legislation included medical device security provisions.

"For purposes of ensuring cybersecurity throughout the lifecycle of a cyber device, any person who submits a premarket submission for the cyber device shall include such information as the [HHS] Secretary may require to ensure that the cyber device meets such cybersecurity requirements as the Secretary determines to be appropriate to demonstrate a reasonable assurance of safety and effectiveness," the bill stated.

Manufacturers would be required to "design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device."

The bill put additional responsibility on medical device manufacturers to regularly assess vulnerabilities and provide an SBOM containing information about open-source, commercial, and off-the-shelf software components. If the Secretary finds that the cybersecurity information provided in the premarket submission is inadequate, they may issue a "non-substantial equivalence" determination.

Both legislative measures emphasized the need for SBOMs and were directly targeted at manufacturers. Accounting for security concerns at the premarket stage before products can be used in healthcare settings is a big step that should not be overlooked. It shows that the industry is giving this issue the attention it deserves and will potentially prompt further conversations on how to improve medical device security across the sector.

However, it is essential for healthcare organizations to recognize that medical device security is a shared responsibility, and legislation can only go so far. Until industry standards are solidified and legislation establishes clear guidelines, individual organizations should seek out security best practices to safeguard connected medical devices.

Legislation Alone Cannot Ease Connected Medical Device Security Concerns

"The PATCH Act is a really important step forward for the industry," Greg Murphy, president and CEO of Ordr, explained in an interview with HealthITSecurity.

"But anything related to the PATCH Act only applies to medical devices. That leaves 85 percent of connected devices in the healthcare environment that will not have any new regulatory protective framework around them."

The portable nature of many medical devices makes it challenging to keep a reliable inventory. In addition, the cyber threat landscape is always changing, forcing cybersecurity teams to constantly pivot their strategies accordingly.

The ongoing cybersecurity workforce shortage can make it even more difficult to patch devices in a timely manner. Organizations also must account for the multitude of connected devices that are not used for medical purposes, all of which come with their own set of cybersecurity risks.

"One of the most common issues we see are legacy operating systems," Murphy added.

"Every hospital has them. Devices like mobile phones and computers often last two years and cycle through, but that is absolutely not the case with medical devices."

If a medical device can still improve patient care effectively, there is seemingly no reason to replace it. However, end-of-life devices connected to the organization's network can pose security risks if no one is patching or updating them regularly. Even if the devices still perform well clinically, providers cannot overlook cybersecurity risks.

If passed, the PATCH Act could significantly impact manufacturers, which would then trickle down to the healthcare organizations that rely on medical devices. With SBOMs, transparency, and stricter premarket submission guidelines, security issues will ideally lessen, and patches can roll out more smoothly.

But on a day-to-day basis, Murphy suggested, the legislation will not immediately transform healthcare operations or automatically keep medical devices secure. 

"You have to start to think about what to do now and how to get visibility and control over your infrastructure today," Murphy emphasized.

While awaiting the passing of legislation, organizations can take preventive measures to protect their connected medical devices.

What Healthcare Organizations Can Do Now

"As opposed to waiting for the legislation, automate the inventory, understand the vulnerabilities, and take appropriate steps to segment and protect your most vulnerable devices," Murphy suggested.

"That's the process we see leading healthcare and security organizations working towards."

It can be difficult to know where to start in terms of creating an inventory and monitoring all connected devices, Murphy acknowledged.

"Every organization should immediately make sure they have visibility to what is connected to their network environment and monitor those devices. If you see a device behaving differently than it normally does, you can recognize that and act immediately," Murphy advised.

"That is an action that every organization can do over the course of weeks or months. It's not something that's going to take years, like a regulatory process."

Thankfully, many industry groups and the FDA have released helpful guidance and best practices documents for healthcare organizations to help them navigate medical device security challenges. For example, in late 2021, the FDA released best practices for communicating cybersecurity vulnerabilities to patients and caregivers. The document provided actionable tips for stakeholders to communicate connected medical device risks adequately and efficiently.

In addition, MITRE and the Medical Device Innovation Consortium (MDIC) partnered to release a playbook for medical device threat monitoring. The playbook incorporated insights from a series of threat modeling bootcamps for medical device manufacturers hosted by MITRE, MDIC and the FDA in 2020 and 2021.

In March 2022, the Healthcare & Public Health Sector Coordinating Councils (HSCC) published model contract language to help healthcare organizations ensure medical device security when crafting contracts with device manufacturers. The model contract language included considerations about vulnerability management, security patch validation, and incident response management, among other core principles.

Along with maintaining an automated inventory and keeping track of vulnerability disclosures, Murphy recommended implementing a zero trust security approach, segmenting potentially vulnerable devices from the network, and conducting risk assessments.

"It is very important to have a legislative framework to establish minimum standards that everyone has to adhere to. In an ideal world, that would have been done years ago, and we would have started to see the benefits of it now. But in the world that we live in today, the benefits could be years away," Murphy continued.

"That is why organizations should be implementing best practices from today forward and not thinking about this as a short-term problem that we're going to solve through vendor behaviors and regulatory pressure over the next two to three years."