The U.S. secretly passed a medical cybersecurity law

Surprise! During the end-of-year rush to pass the federal spending bill, a piece of legislation with more than 4,000 pages apportioning out $1.7 trillion of spending, legislators included a section that helps make connected medical devices more secure.

The law requires that any medical device that is connected to the internet get pre-market approval before being released to the public. It also requires several other security practices, such as a software bill of materials. But the most notable part of the law is that a company can’t sell a connected medical device without first showing it to the Food and Drug Administration and proving that, should any security vulnerabilities arise, it has plans to monitor, update, and fix the device.

This is a big deal. It’s also an acknowledgment that the government has realized self-regulation isn’t working when it comes to cybersecurity, which is a theme I’ve been talking and writing about for some time. Indeed, over the last 18 months, the government has not only taken the threats posed by insecure connected devices seriously but it has taken steps to make laws and regulations that force all industries to start addressing the issue.

I learned about this legislative win for medical device security while interviewing Kevin Fu, a professor of electrical and computer science at Northeastern University and the former acting director of medical device cybersecurity for the Food and Drug Administration, for the podcast. Then I read the legislation (page 3,537, line 18 if you want to skip straight there).

The legislation is brief, and formalizes what the FDA had been promoting in its cybersecurity guidance documents for a while. But putting it into law means that the agency now has more authority to force companies to comply.

The law requires makers of connected medical devices to have a plan in place to monitor for security vulnerabilities, identify issues, and then fix them. It calls for best practices recommended by most cybersecurity experts, such as requiring coordinated vulnerability disclosures (which means that when someone discovers a vulnerability they can share that information responsibly, without the threat of a lawsuit) and a software bill of materials for medical devices, and enshrines into law the obligation to patch vulnerable medical devices on a regular basis (and to require patches outside of regular cycles when the vulnerability is critical enough.)

It also closes a potential loophole by including devices certified under the 510(k) market submission rules. Devices submitted under 510(k) submission rules don’t get regulatory scrutiny because they have already been approved and on are on the market. As long as a device maker doesn’t change the function of the device they don’t need to get pre-approval.

This is great if a company is making a slightly better CPAP machine or thermometer. But if those types of submissions weren’t included, it would have enabled companies to get around the pre-market cybersecurity review simply by claiming that they were able to be submitted under the 510(k) regime.

The legislation also gives the FDA the ability to take action against existing devices that were not submitted for pre-market approval if they are found to be insecure, which is another big win for those of us who are worried about the safety of our medical devices. And this is a safety issue.

Insecure medical devices can allow hackers to make their way into medical systems via ransomware attacks, and more importantly allow hackers to physically harm patients by accessing equipment such as infusion pumps. Other potential harms include such devices leaking personal information about users’ health.

While most of us are probably thinking of that scene in “Homeland” when an assassin tried to kill the vice president by hacking his pacemaker, more mundane concerns have actually occurred and have caused harm to hospital systems. The CIO of a hospital once told tell me a newly discovered vulnerability in an infusion pump attached to a patient meant the hospital had to dedicate a nurse to stay by that patient all night while they were hooked up to the pump until the patient could be removed. This story feels apocryphal in the wake of the current health care staffing shortages post-pandemic, but medical device security is a serious issue.

Josh Corman, VP of cyber safety and strategy at Claroty, has been working on securing medical devices for the last nine years. As one of the founders of I am the Cavalry, an organization of hackers trying to help draw attention to the weaknesses of connected devices, he’s ecstatic that this legislation has passed. He told me he also thinks it’s an indication that Congress is willing to work against industry interests for the sake of the public good when it comes to cybersecurity. This means we could see other cybersecurity legislation pass.

He added that this particular legislation also provides funding and budget for the FDA to enforce the law. The law requires the FDA to review a device’s security ahead of its release, so it will need money to hire staff to handle this task. Northeastern’s Fu told me he believes the additional staff will help speed up pre-market certification, which is something many in the industry will have to see to believe.

Those outside the medical device industry should keep an eye on this legislation because it’s clear that the government is turning to regulation to address cybersecurity after years of failed efforts by industry to secure their products. Many of the requirements and mechanisms that are in this law, such as software bills of material and regular vulnerability updates, are hallmarks of other government cybersecurity efforts. So the law and its enforcement will provide data on the effectiveness and effects of these strategies.