In October, the US Food and Drug Administration will start rejecting medical devices that lack a secure design or a post-market cybersecurity plan.
For six months, medical device makers have had to comply with new cybersecurity regulations aimed at hardening medical devices against cyber attacks, but the US Food and Drug Administration has largely refrained from using its "refuse to accept" power up to now.
On Oct. 1, the FDA's grace period — during which the agency stated it would try not to use its ability to reject medical devices that lack appropriate cybersecurity controls and a post-market patching capability — will end. The manufacturers of medical cyber devices must now submit plans to monitor and patch post-market cybersecurity vulnerabilities, have a process in place for the secure design and development of devices, and provide a software bill of materials (SBOM) to the FDA. Those who do not satisfy the requirements could have their devices rejected on the grounds that they pose too great a cyber risk.
The agency's focus on medical-device cybersecurity stems from Congressional passage of an omnibus appropriations act in December 2022 that included a section, "Ensuring Cybersecurity of Medical Devices," requiring medical-device manufacturers submit cybersecurity information to the FDA regarding any cyber device. The powers granted to the FDA, which went into effect in March, could go a long way toward forcing the makers of medical devices to consider and plan for vulnerabilities and cyberattacks, says Ty Greenhalgh, industry principal for healthcare at Claroty, an IoT security firm.
"This legislation addresses specifically that you have to do something about patching and updating on the new devices, and how are you going to get patches and updates out over the lifecycle in a reasonable time," he says. "The way this is set up, it's given broad authority for interpretation to the FDA on what it takes to get medical devices cyber-secure and what are the penalties, if you are not compliant with their interpretation."
The FDA, which allocated $5 million of its budget to medical device cybersecurity, could change that.
"Cybersecurity exploits are one of the most substantial threats faced by this nation, and the impact is particularly harmful for our health care system, where vulnerabilities could compromise entire hospital systems or disrupt manufacturing of countless devices if they are impacted," the FDA stated in its annual appropriations estimate. "Ultimately, these threats are of national security concern because if they go unchecked, they could cripple healthcare delivery."
Putting these new requirements into law is a first step, but is far from being an answer in and of itself, says David Brumley, a cybersecurity professor at Carnegie Mellon and CEO of software security firm ForAllSecure.
"We're building a muscle at this point, and that muscle isn't gonna allow us to lift this open-source [security] weight yet. But if we don't start building this muscle we won't be able to in 20 years," he says. "I just wish that they took it a step further, to say how they're going to hold people responsible, and what powers they have to hold people responsible."