As cyberattacks on healthcare persist, can the FDA’s new device regs hold up?

Medical device cybersecurity was an afterthought for the industry and regulators for years, even as hackers continually targeted the healthcare sector.

That changed last year when Congress codified stricter medical device cybersecurity requirements and the Food and Drug Administration finalized souped-up guidance for manufacturers. The new actions prioritized security at a time when cyberattacks and incidents were not just compromising data but crippling hospitals’ operations and threatening patient safety.

“I view last year as the beginning of time … a new world. Because the community has spent, I would say, a good 15 years thoughtfully working together and debating, ‘What does it even mean to have secure healthcare delivery or cybersecurity in a medical device?’” said Kevin Fu, the FDA’s former acting director of medical device cybersecurity.

Several steps were implemented in 2023 to increase oversight of cybersecurity risks in medical devices. First, new FDA regulations that Congress passed in December 2022 as part of an omnibus spending bill took effect in March of last year. The legislation, which added a new section to the Federal Food, Drug and Cosmetic Act, defined what a “cyber device” is and implemented stricter cybersecurity requirements for device makers to adhere to when submitting premarket applications, such as a plan to monitor for and identify potential vulnerabilities.

Second, the FDA’s Center for Devices and Radiological Health issued a final premarket guidance for device manufacturers in September. At over 50 pages, the document was a significant step up from the previous guidance, which was only a handful of pages long.

Fu, who is now a professor of electrical and computer engineering at Northeastern University, said the device community has some “really good consensus on where we need to be, and what are some of the better ways to get there.”

While multiple experts see last year as a high-water mark for device cybersecurity oversight, there are still challenges to overcome. For example, plenty of devices go to market with operating systems that may soon be outdated, and hospitals are filled with an unknown amount of unsupported older devices, known as legacy devices, that are vulnerable to attacks.

Furthermore, attackers will not likely stop targeting the healthcare sector any time soon, and threats have evolved. Fu said threats have shifted from a “bored kid in their basement to nation-state actors” who are trying to cause harm to hospitals.

“This is no longer child's play. This is no longer just fun and games,” he added. “These are economically motivated adversaries who will cause harm if a medical device leaves any door open, either in its manufacture or in its use.”

How are devices at risk?

While medical devices themselves are vulnerable to cyber threats, an attacker’s goal is rarely to hack into a singular device like a pacemaker or an insulin pump and take control. However, a device can be used as an entry point to get onto a larger target, such as a hospital’s network.

Axel Wirth, chief security strategist for the cybersecurity firm Medcrypt, explained that some attackers may not even know at first that they are targeting a medical device or even the healthcare system.

“It's more the incidental event, where a device gets compromised not because the device itself is targeted, but because the device fits the profile of the attack,” Wirth said. “The attacker is looking for an unpatched old Windows XP computer. While that happens to be a piece of medical equipment, rather than a desktop computer, the attacker may not even know.”

Medical devices may not typically be the target of attacks, but they can still be affected. Chad Waters, a senior cybersecurity engineer with the safety watchdog ECRI, said devices can be in the “blast radius” of a cyberattack on a hospital network, such as an MRI machine being shut down. Patient care is then delayed, even though the machine was not the direct target.

“This is no longer child's play. This is no longer just fun and games. These are economically motivated adversaries who will cause harm if a medical device leaves any door open, either in its manufacture or in its use.”

Kevin Fu

FDA's former acting director of medical device cybersecurity

Part of understanding how devices are at risk is also understanding what the full impact of an attack may be. Fu and Wirth both stressed that attackers are not merely looking to steal patient data — hospital and health facility operations and patient safety are at risk, as seen recently with the Change Healthcare attack and others over the past few years.

The interconnectedness of the health system with online devices, hospital networks and electronic health records can compound vulnerabilities and effects of cyber incidents.

“In the past, we really had that ‘one device, one network, one department’ kind of mindset, and I think we’re realizing that that is not sufficient. Problems, very quickly, can become much bigger,” Wirth said. “You have to fix security on a device-by-device level. But you have to strategize on the level of the entire system, and look where the entire system could potentially break down, which happened with [Change Healthcare].”

Hundreds of millions of dollars may be at risk for companies as well. Henry Schein managed through a cyber incident for months that forced it to take systems offline and affected more than 29,000 people. The company, which had cyber insurance with a $60 million limit, ultimately took an estimated sales hit of from $350 million to $400 million in the fourth quarter of 2023.

Cyber vulnerabilities are also factored into a company’s credit rating, and the burden of building stronger cybersecurity systems and infrastructure within a firm will likely hurt smaller companies “as they have fewer resources to invest in cybersecurity compared with larger companies, which can often assign dedicated teams to protect their data,” Gilberto Ramos, assistant vice president for Moody’s Ratings, wrote in an email.

As the industry and regulators have come to terms with the severity of cyber risks, experts said the next step is to fully grasp the potential damage of an attack.

Lingering problem of legacy devices

Multiple experts said that legacy devices are one of the biggest risks currently for the medical technology industry, as well as for hospitals. Facilities are filled with devices that have unsupported or soon-to-be unsupported software, leaving them vulnerable.

Devices like MRI machines can be expensive and difficult for hospitals to replace, or they are essential to patient care and cannot be shut down, which creates security gaps in a network.

“These are systems that are essentially poured in concrete, and we're waiting for the foundations to collapse,” Fu said. “There's a huge amount of legacy medical devices out there running on everything from Windows 10 to Windows 95. … This threat is our own doing because we didn't plan ahead as an industry.”

He added that hospitals were essentially “hoodwinked” into buying some devices that would quickly be unsupported, and now have to use machines where the “software is worn out faster than the mechanical components.”

MITRE, a nonprofit that conducts federal research, released a report on legacy medical technology in November. The report recommended that there should be a “shared responsibility” between providers and device makers over legacy machines, as well as information-sharing agreements between the two parties that include expectations for security controls for the entirety of a product’s lifecycle.

“Do we need to patch for the foreseeable decades to come? Yes, we do. Is patching a path that gives us the sufficient security we need? Never.”

Axel Wirth

Medcrypt's chief security strategist

Nastassia Tamari, director of the CDRH’s Division of Medical Device Cybersecurity, said managing legacy devices is one of the largest challenges facing the industry and regulators. A key problem is not just the large number of unsupported devices that are currently used in health facilities, but that no one knows how many legacy devices there are because of a lack of reliable data.

Tamari said regulators need to better understand the magnitude of the problem to create effective policies that could fix or mitigate the issue.

“It really is a difficult challenge,” she added, “with no answer right now.”

Secured by design

While addressing the problem of legacy devices, the FDA is simultaneously trying to prevent new devices from becoming legacy, or at least slowing down the process as much as possible.

The premarket requirements passed by Congress in 2022 get to this very point. As part of premarket applications — including 510(k)s, premarket approval, de novos and others — device makers must include plans to monitor, identify and address vulnerabilities in a “reasonable time”; design and maintain procedures to ensure that the device and related systems are cyber secure; and make available post-market updates and patches.

The new section of the FD&C Act, called 524B, also states that device makers must provide a software bill of materials (SBOM), which is a list or inventory of all the software components used in a device.

“With the new requirements, we're now better positioned than ever before to ensure [the] medical device industry is equipped with the tools and information it needs to prepare and address cybersecurity vulnerabilities and threats,” Tamari said.

While these new cyber regulations are seen as a way to limit the volume of legacy devices and as an improvement over the FDA’s minimal authority and guidances, some experts said manufacturers still need to build devices that are as secure as possible before hitting the market, rather than using a patching system to improve devices later as a crutch.

Ensuring a device is secured by design does not mean making a device perfect, as all software will get old, and threats will evolve.

“Do we need to patch for the foreseeable decades to come? Yes, we do. Is patching a path that gives us the sufficient security we need? Never,” Medcrypt’s Wirth said.

Wirth added that one reason patching is not an effective system is because it “takes weeks and months, and sometimes it never happens,” as a healthcare environment has machines that are dependent on others and involved in ongoing patient care.

Tamari said that to ensure devices are as secure as possible, manufacturers should put a product through rigorous threat modeling, penetration testing and risk management techniques and develop a detailed SBOM before an application is submitted for market authorization.

The new U.S. requirements, as well as international standards, may force companies to invest more money in development, and it may take longer to bring a product to the FDA review stage, Leroy Terrelonge, vice president for Moody’s Ratings, said in an emailed statement. He added that the requirements may even make the FDA’s review longer, keeping the device off the market, but companies could offset short-term costs if they develop an innovative product.

A brick building with a sign that says "Henry Schein Inc." — Henry Schein’s cyber incident last year affected more than 29,000 people and cost the firm estimated sales of from $350 million to $400 million.

Bruce Bennett via Getty Images

Fu stressed that SBOMs are one way to mitigate future threats. The inventory helps manufacturers to be more methodical about potential security problems and allows hospitals to see where vulnerabilities may be.

“It would be unrealistic to think you'll have a perfectly secure system that never needs to be tweaked. That is probably impossible,” Fu said. “However, there are good designs and better designs.”

He added that the goal is for manufacturers to be agile and better respond to threats when they happen because building an impenetrable device or system is not realistic.

Future of device security

Going forward, the question for the industry and regulators now is, will these FDA regulations work in an environment with rapidly innovating technology and evolving threats? Devices with artificial intelligence are becoming more common, opening the door for new benefits and risks.

AI could help companies test products pre-market against cyber threats at a rate that would be hard to replicate with humans. However, devices with built-in AI capabilities could also be more vulnerable.

Bad actors also have access to AI technology. For example, Wirth said hackers may use AI to “identify and find previously undisclosed vulnerabilities, and utilize those in an attack before the software supplier has identified the vulnerabilities themselves.”

The FDA’s CDRH is already looking at AI in a cybersecurity context, according to Tamari, though conversations are still in the early stages, and a lot of questions remain. Overall, the agency has made structural changes to address cybersecurity needs, such as elevating the Office of Strategic Partnerships and Technology Innovation (OST) to a “super office.”

An FDA spokesperson said in an emailed statement that OST has added six new members over the past few years, and the Office of Product Evaluation and Quality has added staff to assist with “policy development, policy implementation, and postmarket response.”

Fu said he was “cautiously optimistic” that last year’s changes should be sufficient for the next five to 10 years. One reason, he explained, is because the regulations are mostly “technology agnostic” and focused on the properties of the device, not a specific type of software.

However, regulations will still need to be updated eventually amid evolving technologies and threats and as healthcare attacks continue.

“The realization that it is collectively our problem manifested itself in 2023,” Wirth said. “Are we doing it yet? Not quite. But we're getting there. Recognition is always the first step to improvement.”