These days, all forms of production heavily depend on digital infrastructure, including the manufacturing of medical devices. This reality brings with it an abundance of opportunities, but it also leaves our devices exposed to the risk of cyberattacks. It's crucial for companies in the medical device sector to enhance their cybersecurity protocols and adhere to best practices to protect their products and their brand image.

In a recent survey, a notable 43% of production companies mentioned a security breach as a primary reason for increasing their cybersecurity budgets. Clearly, this is an issue that deserves significant attention.

Decoding the New FDA Cybersecurity Guidelines

The FDA recently introduced fresh cybersecurity guidelines for companies involved in the creation of medical devices. The guidelines mandate that these organizations should be able to actively monitor and counter potential cyber threats, even post the market launch of their device.

This policy amendment, part of last year's spending package, expects organizations to generate a Software Bill of Materials (SBOM) with exhaustive information about all software components used in a device. This includes any off-the-shelf software and third-party applications.

The SBOM serves as an insightful tool for both the FDA and device users to comprehend a device's security controls and capabilities.

The FDA, in their draft guidelines, also encourages device-producing companies to integrate cybersecurity considerations into their quality systems and offer information about these efforts in premarket submissions. This may include PMAs, 510(k)s, investigational device exemptions, and software as a medical device (SaMD) applications.

Moreover, organizations in the medical device field should aim to enhance their post-production processes. This could involve establishing response teams to manage cybersecurity incidents and ensure that devices are promptly updated to minimize vulnerabilities. Providing users with comprehensive manuals that delineate a device’s security controls and potential risks is also beneficial.

Why Are Medical Devices Companies at Risk of Cyberattacks?

An unique aspect of the medical device industry is that these devices are not subjected to cyber vulnerability tests before they are introduced to the market. The FDA currently doesn't have the resources or personnel to conduct these tests for all devices. This leaves the responsibility of addressing vulnerabilities post-market entry to the device-producing companies.

Manufacturers must consider security during the design and development process, including building cybersecurity into the product’s architecture and ensuring it can be updated to address new threats. In addition, manufacturers should work with a trusted RCA consulting partner that can conduct reverse engineering assessments and help them identify security weaknesses and implement mitigation strategies before the product goes to production. This is critical to avoiding post-market vulnerabilities, such as the recent WannaCry ransomware attack that exploited a vulnerability in Apache Log4j, a widely used Java component for software and applications.

While the FDA’s new guidance and bipartisan Congressional support of the PATCH Act represent important steps forward, much work still needs to be done. Penalties that address the shared accountability of product manufacturers and healthcare systems should be based on their relative contribution to the breach’s root cause, using objective industry best practices as the standard. This would incentivize manufacturers to better safeguard their devices and the data they gather.

Medical device companies should also create response teams to be proactive about post-production cybersecurity. These teams assess whether and how a cyberattack impacted a company’s medical devices, and they determine if any of the protections they put in place worked to safeguard the products from attack. The teams also communicate with the affected healthcare system and provide them with all information they can about resolving any problems or limiting their impact.

Lastly, medical device manufacturers must ensure their supply chain partners are taking steps to protect their own equipment and health system networks. This means requiring them to sign contracts that include provisions for protecting sensitive patient data, providing access to security standards, and providing a complete software bill of materials (SBOM) for all connected devices. Manufacturers should encourage suppliers to participate in information-sharing and analysis organizations, such as the Health Information Sharing and Analysis Center (H-ISAC), to reduce their cyberattack vulnerability.

The Cybersecurity Challenges Facing Med Device Companies

Medical device manufacturers must take a proactive approach to managing cybersecurity risks throughout the product lifecycle. This requires a detailed understanding of the device lifecycle, including risk assessment at each stage and a robust software development process with rigorous testing for every update. It also demands a strong governance framework with a dedicated senior owner. This will be critical to avoid cybersecurity incidents in the future, as well as to identify and respond to incidents when they occur.

The good news for medical device manufacturers is that there are a number of strategies to help address the challenges of cybersecurity in new medical devices and legacy devices already in use. These initiatives include implementing a thorough tracking system for all devices, including unique device indicators (UDIs). This will help to detect the presence of counterfeit or unapproved devices. Tracking systems can also help to spot security gaps where replication attacks may attempt to occur. It also helps to ensure that devices are properly supported and maintained to protect patient data and, ultimately, patient safety.

Despite the many risks of cyberattacks against healthcare, surprisingly few regulations require medical device manufacturers to consider cybersecurity during the design and production process. While FDA regulations do call for consideration of such risks, they don’t require that these risks be tested for before a device goes to market.

As medical devices continue to become more connected, there are heightened concerns about the ability of hackers to breach these devices and steal sensitive health information or cause physical harm to patients. For example 2011, security researcher Jay Radcliffe demonstrated at the Black Hat security conference that he could hack into his own insulin pump from a few feet away and change the amount of insulin it delivered.

As the threats of cybersecurity breaches against healthcare grow, regulators will inevitably step up their game to keep pace. This means that medical device manufacturers will need to adopt a much more intentional approach to cybersecurity to pass muster with the FDA and ensure that all of their new medical devices are resistant to cyberattacks.

Why Investing in Cybersecurity is Critically Important

The Internet of Things and connected medical devices are bringing huge advantages to healthcare, from individual patients who receive remote monitoring and diagnostics to society as a whole as the Medical Big Data generated by connected devices speeds up research for new medicines. However, these benefits are often accompanied by a growing number of cybersecurity risks, from data privacy concerns to the devastating effects that can occur when a device is compromised.

These attacks are on the rise, and while many hospitals have taken steps to mitigate these threats — including employing smart cybersecurity solutions that can monitor all connected medical devices in real time — more needs to be done. Unfortunately, staff shortages and budget constraints limit the ability to monitor and update these devices properly. The good news is that implementing proper cybersecurity strategies and best practices can greatly reduce the risk of cyberattacks, protect data and fortify the devices themselves.

It is essential for medical device manufacturers to prioritize cybersecurity in their design process and ensure that all products meet the FDA’s cybersecurity standards, which may help avoid regulatory sanctions, liability for damages and reputational harm resulting from any breaches. Taking these precautions can also speed up the regulatory approval process. For example, including a Software Bill of Materials (SBOM) that identifies all software, hardware and firmware in medical devices is critical to meeting the FDA’s requirements.

Medical device manufacturers must also keep up with the latest cybersecurity trends and developments in order to stay ahead of the curve, which can be challenging as hackers are constantly working to evolve their attack techniques. This is why it is critical for them to have a partner like Promenade that can assist them with staying informed about the latest threats, vulnerabilities and mitigation strategies.

As we head into the second half of 2023, it’s clear that cybersecurity is becoming a top priority for medical device manufacturers. But the challenges of keeping up with this rapidly evolving field are significant, as illustrated by the aforementioned ransomware attack on Colonial Pipeline and other incidents. To help address these challenges, device manufacturers need a trusted partner to help them create and implement comprehensive cybersecurity programs that will meet the FDA’s requirements for pre-market submissions and ongoing maintenance of their products.