As cyber threats to the healthcare sector continue to ramp up in frequency and severity in the U.S. and globally, they increase the risk of rendering medical devices inoperable and disrupting patient care. In a worst-case scenario, ransomware attacks on medical devices can put protected health information at risk or even threaten lives. In this environment, healthcare cybersecurity experts report the need for improved standards and better efforts by hospitals and manufacturers to share responsibility for medical device security.
One of the challenges healthcare organizations face is defending older legacy medical devices – which often were not built with security in mind—against the growing threats of hacker attacks, according to a recent MedTech Dive article. Hospitals contend that as the end users, they bear a heavier burden for securing medical devices than medical device manufacturers do, and the American Hospital Association wants to see the Food and Drug Administration (FDA) mandate lifetime support of medical devices by manufacturers.
MedTech Dive also says the FDA has warned that unpatched medical devices “will become increasingly vulnerable to cyberattacks over time and has called for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices’ cybersecurity risks.”
Mitigating Risk Throughout the Product Life Cycle
According to the FDA, the need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet- and network-connected devices; portable media like USB drives; and the frequent electronic exchange of medical device-related health information.
The agency in April released draft guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which is intended to provide recommendations to agency staff and the industry regarding cybersecurity device design, labeling, and the documentation that the FDA recommends be included in premarket submissions for devices with cybersecurity risk.
This new draft guidance replaces an earlier 2018 draft version and is intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the total product life cycle, and to outline more clearly the FDA’s recommendations for premarket submission content to address cybersecurity concerns. The draft was shared for public comment between April 8 and July 7 as Docket Number FDA-2021-D-1158-0001 on the Regulations.gov website, but as of this writing, it is not yet considered final or ready for implementation.
When securing medical devices, some of the primary challenges IT departments face include non-secure device designs, standardized configurations, patching restrictions, and insider threats, according to cybersecurity solutions provider Cybeats. They recommend the following four best practices to help healthcare organizations improve the security of their medical devices:
- Endpoint protection – Securing not only the medical device but also the endpoints they connect to, such as workstations
- Access management – Binding device authentication to the corporate authentication system
- Asset management – Maintaining a reliable inventory of medical devices and software components
- Vulnerability management – Conducting a vulnerability assessment of the software deployed on medical devices and reviewing vulnerability disclosures provided by vendors
For more medical device security guidance, visit:
- FDA Digital Health Center of Excellence Cybersecurity Resources – Includes medical device cybersecurity news and updates; tips on mitigating cybersecurity risks; reports and white papers; and more
- MITRE Playbook for Threat Modeling Medical Devices – Developed to increase knowledge of threat modeling throughout the medical device ecosystem in order to strengthen the cybersecurity and safety of medial devices
- Cloud Security Alliance Medical Device Incident Response Playbook – Presents best practices for medical device incidents that incorporate clinical aspects of medical device incident response