Surprise! During the end-of-year rush to pass the federal spending bill, a piece of legislation with more than 4,000 pages apportioning out $1.7 trillion of spending, legislators included a section that helps make connected medical devices more secure.
The law requires that any medical device that is connected to the internet get pre-market approval before being released to the public. It also requires several other security practices, such as a software bill of materials. But the most notable part of the law is that a company can’t sell a connected medical device without first showing it to the Food and Drug Administration and proving that, should any security vulnerabilities arise, it has plans to monitor, update, and fix the device.
This is a big deal. It’s also an acknowledgment that the government has realized self-regulation isn’t working when it comes to cybersecurity, which is a theme I’ve been talking and writing about for some time. Indeed, over the last 18 months, the government has not only taken the threats posed by insecure connected devices seriously but it has taken steps to make laws and regulations that force all industries to start addressing the issue.
I learned about this legislative win for medical device security while interviewing Kevin Fu, a professor of electrical and computer science at Northeastern University and the former acting director of medical device cybersecurity for the Food and Drug Administration, for the podcast. Then I read the legislation (page 3,537, line 18 if you want to skip straight there).
The legislation is brief, and formalizes what the FDA had been promoting in its cybersecurity guidance documents for a while. But putting it into law means that the agency now has more authority to force companies to comply.
The law requires makers of connected medical devices to have a plan in place to monitor for security vulnerabilities, identify issues, and then fix them. It calls for best practices recommended by most cybersecurity experts, such as requiring coordinated vulnerability disclosures (which means that when someone discovers a vulnerability they can share that information responsibly, without the threat of a lawsuit) and a software bill of materials for medical devices, and enshrines into law the obligation to patch vulnerable medical devices on a regular basis (and to require patches outside of regular cycles when the vulnerability is critical enough.)
It also closes a potential loophole by including devices certified under the 510(k) market submission rules. Devices submitted under 510(k) submission rules don’t get regulatory scrutiny because they have already been approved and on are on the market. As long as a device maker doesn’t change the function of the device they don’t need to get pre-approval.
This is great if a company is making a slightly better CPAP machine or thermometer. But if those types of submissions weren’t included, it would have enabled companies to get around the pre-market cybersecurity review simply by claiming that they were able to be submitted under the 510(k) regime.
The legislation also gives the FDA the ability to take action against existing devices that were not submitted for pre-market approval if they are found to be insecure, which is another big win for those of us who are worried about the safety of our medical devices. And this is a safety issue.
Insecure medical devices can allow hackers to make their way into medical systems via ransomware attacks, and more importantly allow hackers to physically harm patients by accessing equipment such as infusion pumps. Other potential harms include such devices leaking personal information about users’ health.
While most of us are probably thinking of that scene in “Homeland” when an assassin tried to kill the vice president by hacking his pacemaker, more mundane concerns have actually occurred and have caused harm to hospital systems. The CIO of a hospital once told tell me a newly discovered vulnerability in an infusion pump attached to a patient meant the hospital had to dedicate a nurse to stay by that patient all night while they were hooked up to the pump until the patient could be removed. This story feels apocryphal in the wake of the current health care staffing shortages post-pandemic, but medical device security is a serious issue.
Josh Corman, VP of cyber safety and strategy at Claroty, has been working on securing medical devices for the last nine years. As one of the founders of I am the Cavalry, an organization of hackers trying to help draw attention to the weaknesses of connected devices, he’s ecstatic that this legislation has passed. He told me he also thinks it’s an indication that Congress is willing to work against industry interests for the sake of the public good when it comes to cybersecurity. This means we could see other cybersecurity legislation pass.
He added that this particular legislation also provides funding and budget for the FDA to enforce the law. The law requires the FDA to review a device’s security ahead of its release, so it will need money to hire staff to handle this task. Northeastern’s Fu told me he believes the additional staff will help speed up pre-market certification, which is something many in the industry will have to see to believe.
Those outside the medical device industry should keep an eye on this legislation because it’s clear that the government is turning to regulation to address cybersecurity after years of failed efforts by industry to secure their products. Many of the requirements and mechanisms that are in this law, such as software bills of material and regular vulnerability updates, are hallmarks of other government cybersecurity efforts. So the law and its enforcement will provide data on the effectiveness and effects of these strategies.
Chris Claxton says
This really is great news. Should we expect home medical devices to officially “fall out of support” because the companies do not want to re-vamp or contnue to maintain security vulnerabilities on old medical devices? There is a big market out there for IoT scales, blood pressure monitors, glucose testing, and more that are connected wirelessly to tracking histories on our devices, on a cloud service, and even integrated with broader systems like Google Health. We have several of our own.
(Side note. This post made it into my Google discovery feed. 😀 )
Stephen A Day says
For those of us who are providing Remote Patient Monitoring, this is important. We at Heartland Clinics of America, Inc. need to monitor patients who live alone, are senior citizens or in “at risk” situations. We are being bombarded with many great IOT devices, BP monitors, Fall Detectors, Glucose Meters, etc. It is a challenge to find the most effective and cost efficient devices. While many manufacturers and service providers will whine about more regulation and compliance, we can rely that the devices that have been approved meets at least some basic HIPAA standards. Now, we need to assure our patients that ALL their information is safe. It is their right. IT IS OUR DUTY