Are You Ready for the New FDA Cybersecurity Mandate for Medical Devices?
The Food and Drug Administration (FDA) has done more than just apply a bandage on the issue of cybersecurity-related risks in medical devices. Late last month, the FDA issued guidance for medical device companies to ensure the safety of devices like heart monitors, MRI machines, and insulin pumps.
What the FDA is Asking of Medical Device Manufacturers
Specifically, in Section 3305, manufacturers have been asked to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”
They are also being asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address.” This should be done on “a reasonably justified regular cycle, [when there are] known unacceptable vulnerabilities; and as soon as possible … critical vulnerabilities that could cause uncontrolled risks.”
The third area asks that the devices come with an SBOM including commercial, open-source, and off-the-shelf software components.
The guidance comes following an appropriations bill signed by President Joe Biden on Dec. 29, 2022, authorizing the FDA to establish cybersecurity standards for medical devices.
The new standards will have a profound impact on medical device manufacturers.
Why The New FDA Cybersecurity Requirements for Medical Devices Matters
There is little doubt that the medical community has long been susceptible to cyberthreats since Internet of Things (IoT) devices began to proliferate. As far back as 2016, a study from Ponemon Institute found that almost 90 percent of healthcare organizations had a data breach in the prior two years.
In 2022, 28.5 million patient healthcare records were exposed, according to an analysis of breach data healthcare organizations reported to Health and Human Services. And also last year, the FBI warned that patient safety, healthcare facility operations, and data integrity were all at risk due to cybersecurity vulnerabilities in medical devices.
The average medical device remains in active use for 10 to 30 years, though software update life cycles vary and are specified by each individual manufacturer, the FBI noted. Medical devices with outdated software are especially at risk because patches or updates intended to mi identified vulnerabilities are not applied and this type of legacy hardware does not have current encryption capabilities. However, regardless of a device’s life expectancy, cyber threat actors have plenty of time to discover and exploit vulnerabilities.
When a device is exploited, there are potential health risks to patients–including death. Twenty-four percent of respondents to a 2022 Ponemon healthcare study said ransomware increased the mortality rate. Health organizations reported having an average of more than 26,000 network-connected devices.
Although the study found insecure medical devices are considered the top cybersecurity threat, only about half (51 percent) of respondents said their organizations include prevention and response to an attack on these devices as part of their cybersecurity strategy.
An SBOM Can Make All the Difference in Compliance With the FDA Mandate
There has never been a better time for medical device manufacturers to start using an SBOM to help them accurately and easily inventory all device components used in the development process. An SBOM will help target cybersecurity vulnerabilities early on and reduce the cost of protection and remediation.
But because information needs to be kept up to date, ideally, they should use a Dynamic SBOM, since that will automatically incorporate updates whenever changes or adds are made throughout the software development lifecycle. After all, you can’t protect medical devices when you don’t know what’s inside.
Book a demo of Rezilion’s Dynamic SBOM and learn how we can help you secure your environment and achieve compliance with real-time visibility into your dependencies. Book a demo today.