By Shlomit Cymbalista, Head of Regulation at Sternum IoT
I don’t know about you all, but I have been on an emotional rollercoaster watching the US government dangle the carrot of federal funding in front of proponents for cybersecurity reform. Let’s take a quick stroll down memory lane.
Last year, the Biden administration proposed a number of legislations in support of cybersecurity advancements. This included the PATCH ACT, which specifically focuses on security in healthcare, followed by updated guidance by the Food and Drug Administration (FDA) on Cybersecurity in Medical Devices.
All seemed to be on the right track, until September 2022, when the FDA authorization bill was passed without the $5.5 million specifically requested to support cybersecurity operations. The initial goal of this funding was to ensure that medical device manufacturers were to be held accountable for the security of their devices, together with reasonable assurance of safety and efficacy.
2023 Omnibus Bill expands FDA authority
Fast forward to January 2023 and all seems right in the world again- the 2023 Omnibus Appropriations Bill was passed, providing funding and statutory authority to the FDA in regulating cybersecurity in medical devices.
This single decision can change the face of healthcare cybersecurity today. Yes, ensuring secure networks and strong incident reporting by healthcare institutions is important, but why not start at the root? After all, vulnerabilities within medical devices used in hospitals and clinical centers are like the doors left unlocked for an intruder to break in, or in our case, cybercriminals.
The Omnibus Bill lays out just how extensive the FDA’s new authority on cybersecurity will be. All manufacturers submitting to the FDA must demonstrate that their device meets the necessary cybersecurity requirements. In the past, cybersecurity was often assessed separately to the safety and effectiveness of the device, mostly incorporated as an “add-on” to the final device.
Now, manufacturers must implement a secure product development framework in which security is built into the device, or in other words, the device is “secure by design.” Cybersecurity should be seen as an integral part of the assessment of the safety and effectiveness of the device. Device security IS device safety.
The bill goes on to specify that all devices that contain software, are able to connect to the internet, or may be vulnerable to cybersecurity threats must comply with these requirements.
Although the FDA guidance (April 2022) clearly outlines what their expectations will be from manufacturers in regard to the evidence they must provide, the Omnibus Bill does us the favor of laying it out in simple terms:
An application must include:
- “…a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”
- “…design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device.”
- “…provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.”
- “…comply with such other requirements through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure.”
What I found to be particularly revolutionary was that the FDA may implement these cybersecurity assurances to devices already cleared or approved for the market. It is not yet clear how this will be carried out or affect devices currently in the market.
Another thing the bill provides are strict timelines for the update of the FDA’s ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance, as well as timelines for the update of other publicly available information in regards to improving the cybersecurity of devices.
“Such information shall include information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers, and how such entities may access support through the Cybersecurity and Infrastructure Security Agency and other Federal entities, including the Department of Health and Human Services, to improve the cybersecurity of devices.”
The need for effective cybersecurity controls does not end with the release of the device. As noted above, manufacturers must be able to demonstrate their ability to monitor the devices, address vulnerabilities and mitigate threats for as long as the device is on the market.
Similarly, the FDA must ensure that they are continuously educating manufacturers, healthcare providers, and similar entities about growing threats. The bill requires a GAO report within the year “identifying challenges in cybersecurity for devices, including legacy devices that may not support certain software security updates.”
An Overdue Shift
What all of this adds up to is a clear call to arms that emphasizes the responsibility medical device manufacturers are expected to take regarding device security and patient safety.
The urgency and the clear and extensive demands of the bill reflect an understanding that cybersecurity threats are not going away anytime soon. The initiative set out by this bill demonstrates that the healthcare industry requires teamwork between the FDA, CISA, and other federal agencies. For the healthcare industry to have a fair chance, this bill is a necessity, one that I would argue is already overdue.
Although this may feel daunting for device manufacturers, I know that there are solutions and resources in the market designed with this all in mind. The US government has raised the bar, and medical device manufacturers, it’s time to rise to the challenge.
Image by DCStudio on Freepik
Article by: Sternum