As cyberattacks on healthcare organizations ramp up, the FDA is boosting efforts to protect the security of connected medical devices with an ambitious plan to reduce vulnerabilities throughout a product’s lifecycle.

The Medical Device Safety Action Plan calls for new authorities to require manufacturers to build security updates and patch capabilities into products beginning at the design stage and to have formal policies and procedures for swift coordinated disclosure of vulnerabilities discovered after products hit the market.

The plan also calls for creation of a CyberMed Safety (Expert) Analysis Board, or CYMSAB, a public-private partnership to assess vulnerabilities, patient risks and advise on mitigation.

Industry, which has largely supported the agency’s cybersecurity efforts, including guidance on premarket and postmarket cybersecurity considerations, fears this latest salvo of preemptive controls could strap manufacturers with burdensome obligations that cannot be sustained in the long run and will do little to improve the safety of connected technologies. 

“Addressing the cybersecurity of medical devices is nowhere found in the [FD&C] statute,” says Bradley Merrill Thompson, a device attorney with Epstein Becker & Green. “Any intrusion into cybersecurity has to be predicated on actual evidence of safety issues, not science fiction fears.”

The FDA already requires companies to include capabilities for updating and patching software at the product design stage through its premarket guidance, and companies say they are widely following that.

“We already know that FDA will reject premarket submissions if they do not follow the cybersecurity guidance,” says Zach Rothstein, associate vice president for technology and regulatory affairs at AdvaMed. “So from our perspective, it didn’t seem like an issue that needed to be taken on at this stage.”

If the agency wants to boost premarket cybersecurity requirements, it should flush out the current guidance to reflect lessons learned since the original was issued, he says, noting revised guidance is expected by the end of the year.

FDA spokeswoman Stephanie Caccomo acknowledged the agency considers the adequacy of cybersecurity controls in approving new devices, but said additional authorities are needed to security by “directly addressing challenges healthcare delivery organizations and providers have encountered as a result of cyber campaigns and attacks such as WannaCry.”

That May 2017 ransomware attack forced many hospitals in the United Kingdom to suspend normal services and accept only emergency patients, and struck computers in 104 countries worldwide.

SBOMs open to potential misuse

Of particular concern for industry is the so-called Software Bill of Materials manufacturers would have to include in premarket submissions and make available to customers and users.

“As an industry, we have coalesced around the idea that is part of our shared responsibility in this healthcare ecosystem to provide Software Bill of Materials to customers that indicate it would be helpful for them to manage their networks,” Rothstein tells Healthcare Dive. He says a number of large hospital systems already require SBOMs, adding he is not aware of any holding up purchasing deals.

But industry is worried about lack of proper controls around sharing and maintenance of SBOMs. If the documents are stored in a publicly available central database, that could allow cybercriminals to learn which software is operating within a device, exposing patients to potential harm, AdvaMed warned in comments on the safety action plan. The agency needs to have protections around the issuance and maintenance of SBOMs to ensure only authorized users are able to access it and control who else can receive it.

The group also wants to see SBOMs standardized and established by regulation. “What we fear could happen without standards development or some type of consensus agreement is that each customer in the system would require a different version of the Software Bill of Materials, a different level of detail, a different type of update schedule, that would literally be unworkable for the thousands of customers a device company has,” Rothstein says.

FDA's Caccomo said exactly what information will be subject to transparency and the mechanism providing it to customers — e.g., product labeling — will be hammered out in FDA-led stakeholder discussions.

Providers push back

Meanwhile, hospitals are putting pressure on manufacturers to bear more responsibility for the cybersecurity of their legacy medical devices.

In response to a House Energy & Commerce Committee request for information, the American Hospital Association said many legacy devices were built before the current cyber threat landscape existed and may use outdated or nonsecure software and hardware, leaving them vulnerable to attack.

The group ticked off a wide range of supports manufacturers should be required to provide to ensure a safe patient environment, including wrapping security precautions around legacy devices, adding security tools and auditing capabilities where possible, conducting regular updates and patching all software, and communicating security vulnerabilities quickly through consistent channels, the AHA said.

“Security is a shared responsibility, but really so far providers have borne the heavier load on securing medical devices,” Chantal Worzala, vice president of health IT and policy at the AHA, tells Healthcare Dive.

The group reiterated its concerns in comments on the FDA action plan. Manufacturers “share responsibility for safeguarding the confidentiality of patient data, maintaining data integrity and ensuring the continued availability and functionality of the device itself,” it wrote.

But manufacturers say expecting them to support a product’s cybersecurity into perpetuity is unreasonable.

“If Microsoft shuts down support of a particular operating system, you cannot expect the medical device manufacturer to then take the lead on keeping, for example, Windows XP secure,” Rothstein said. “That’s just not a viable solution, and it’s not something that a medical device manufacturer has the expertise to handle.”

If a hospital intends to use a large piece of capital equipment for 15 years, that needs to be something both parties understand and agree to up front so the manufacturer knows whether it can support the product for that long and the hospital can make a rational purchase decision based on the company’s capabilities, he adds.

Both sides are seeking more information about the proposed CYMSAB, which could be deployed to investigate potential or real security threats in the field. Providers want to ensure they have a seat at the table. Industry is concerned about CYMSAB’s composition, too, but from a confidentiality standpoint.

“You could imagine a situation where there’s a potential breach or situation with a medical device … and if this board is made up of this company’s competitors or some of their customers, the type of information that would need to be shared could make it a difficult situation for the company to be in,” Rothstein said.

Moreover, if the board is established as a federal advisory committee, its discussions would be available via FOIA requests.

Ultimately, it makes sense for FDA to have a set of experts who can assist with questions that have detailed technical aspects to them, but more discussion is needed on exactly what role the board will play and how its intervention in a cyber crisis would potentially work, he says.