US Medical Device Security News

Heightened Concerns Over Legacy Device Vulnerabilities

A recent House Energy and Commerce subcommittee hearing addressed the significant cybersecurity risks posed by legacy medical devices in the US. These devices, often with hardware lasting decades while software support expires much sooner, present easy targets for cyberattacks. Experts warned that a successful breach of a connected legacy device could provide threat actors with access to entire hospital networks, jeopardizing patient safety and national security. Alarmingly, the FBI's Cyber Division reports that over half of networked medical and IoT devices contain known critical vulnerabilities. The lack of a comprehensive national inventory of these devices further complicates security efforts.

FDA's Stricter Premarket Requirements Under PATCH Act

The December 2022 PATCH Act granted the FDA greater authority over medical device cybersecurity. Since March 2023, manufacturers of new medical devices are required to submit detailed plans for monitoring and addressing post-market cybersecurity vulnerabilities throughout the device lifecycle. They must also provide a Software Bill of Materials (SBOM) to ensure all software components are traceable. While this raises the bar for new devices, it does not retroactively apply to the vast number of legacy devices already in use.

HHS Staffing Cuts Raise Cybersecurity Concerns

Proposed significant staffing cuts at the Department of Health and Human Services (HHS), including the FDA, have sparked concerns among lawmakers regarding the future of medical device cybersecurity efforts. With thousands of positions slated to be eliminated, questions arise about the FDA's capacity to effectively review the cybersecurity of new devices and respond to emerging vulnerabilities. Experts worry that these cuts could slow down the approval process for innovative, secure medical technologies and hinder ongoing cybersecurity assessments.

Industry and Government Collaboration Efforts

The Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG) has published extensive cybersecurity practices, negotiated between medical device manufacturers and healthcare providers, aimed at improving medical device security. Additionally, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) have a collaborative agreement in place to coordinate efforts in this domain. However, a recent GAO report highlighted the need to update this agreement to reflect organizational and procedural changes since 2018 and to improve federal support accessibility for non-federal entities facing cybersecurity challenges.

Network-Level Security and Proactive Threat Management Emphasized

With the increasing integration of medical devices into hospital networks, a network-level approach to security is gaining importance. Solutions that offer end-to-end risk management, including real-time virtual patching and AI-driven vulnerability prioritization, are being highlighted as crucial for managing the growing number of connected devices without disrupting patient care. Proactive threat intelligence and robust security frameworks, incorporating elements like threat modeling and risk assessments throughout the device lifecycle, are also emphasized as essential for mitigating evolving cyber threats.

Ransomware and Data Breaches Remain Major Threats

Cyberattacks, particularly ransomware, continue to pose a significant threat to the healthcare sector, including medical devices. These attacks can compromise vital files, disrupt patient care, and severely damage the reputation of healthcare providers. Unauthorized access to medical databases containing sensitive patient information also carries severe privacy and financial consequences.

Overall: The US medical device security landscape is facing increasing challenges due to the prevalence of vulnerable legacy devices and the evolving sophistication of cyber threats. While the FDA's new premarket requirements are a step forward, addressing the security of existing devices and ensuring adequate resources for regulatory oversight remain critical concerns. Collaborative efforts between government agencies, the medical device industry, and healthcare providers, along with the adoption of proactive, network-level security strategies, are essential to safeguarding patient safety and data in this increasingly connected healthcare environment.