By Oct. 1, the Food and Drug Administration will have tackled two critical medical device security issues: new submissions designed without security in mind and software bill of materials (SBOMs) to direct network defenders on where these vulnerabilities lie.
The overwhelming consensus for the announcement is: “Finally.”
Medical device security is one of the biggest cybersecurity challenges facing the healthcare sector due to a complex ecosystem, a heavy reliance on legacy tech and devices, many of which directly touch patients that were simply not designed with security in mind. And it's the healthcare delivery organizations that have borne the responsibility of securing the device infrastructure.
The problem is that even the most equipped health systems are unable to meet the task.
While legacy devices and infrastructure challenges won’t see immediate impacts by these changes to device requirements for now, it does mean that digital innovation can move forward with more intentional security. And, eventually, legacy devices will be a smaller issue.
“It's super exciting,” said Naomi Schwartz, MedCrypt's senior director of cybersecurity quality and safety, in an interview. “There hasn't been a change like this allowing regulatory bodies in the U.S. to go after something for cybersecurity” for the last decade.
Ten years ago, it was the Department of Defense pushing for regulatory oversight of commercial products. “There hasn't been this level of activity since then,” she added. “We're going to see a lot more of it in the next few years.”
"Beginning October 1, 2023, the FDA expects that sponsors of cyber devices will have had sufficient time to prepare premarket submissions that contain the required materials and plans to issue refuse to accept premarket submissions for submissions that do not contain these required materials," an FDA Spokesperson told SC Media, in an email.
Long overdue support for healthcare providers
For anyone paying attention in the healthcare space, the FDA’s March 29 notice should have been expected. The agency was given the authority to make the announced changes to new device submissions in the Consolidated Appropriations Act of 2023, signed into law on Dec. 29.
As reported in January, the action informed developers and manufacturers that their time’s up. The FDA was given a precise timeline to put these actions and authorities into place.
While some outlets have suggested the Oct. 1 deadline is actually a delay for cyber requirements for new submissions, there’s evidence to suggest the FDA is already bouncing back submissions for failing to meet certain criteria.
Even some manufacturers are incorrectly interpreting the news as “delayed enforcement,” said MedCrypt CEO, Mike Kijewski. Rather, “the day is finally here,” and “the FDA was gracious enough to give people six months to get their house in order.”
The latest announcement gives developers a “drop dead date” for when they will start refusing devices over cybersecurity gaps, Schwartz told SC Media. That doesn’t mean the FDA is telling manufacturers they’re “off the hook.”
What it does mean, however, is that new submissions — even now — will face an interactive review to get the devices up to current cyber standards to meet these new requirements.
Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at FDA's Center for Devices and Radiological Health, has herself warned manufacturers that this isn’t an excuse to not put these cybersecurity elements in place.
Rather, manufacturers should view this time as six months of relief, or a period of FDA support to get these devices up to par. An FDA spokesperson told SC Media, "During this six month period, the FDA is still requiring manufacturers to include the necessary information to ensure cyber devices meet the new cybersecurity requirements."
"If these materials are incomplete, or do not meet the new required standards, then the FDA will work collaboratively with sponsors during our interactive review process to ensure these requirements are met before beginning to issue," the spokesperson added.
As with any regulatory changes, there have been plenty of pushback from manufacturers. With one security leader commenting on the initial announcement that “counting CVEs in embedded libraries and packages does not equal cybersecurity.”
Quite frankly, no one is asserting that this solves the medical device security problem. On the contrary, the added SBOM requirement, vulnerability disclosures, and security requirements for all new submissions will take strategic implementation, proper review, agency funding, and education for reviewers to make the most of these changes.
“Despite being a vital step in the security of medical devices, publication of SBOMs is not a panacea, nor are SBOMs foolproof,” Richard Staynings, professor of information & communications tech, health informatics, healthcare management at the University of Denver, said.
SBOMs “merely provide security teams with a better understanding of vulnerabilities when a component in a device is found to be vulnerable elsewhere,” he added.
In short, network defenders can’t secure what they can’t see.
As such, it’s a massive step forward in device security, ensuring that manufacturers have more skin in the game and can no longer put the responsibility of securing vulnerable devices squarely on the back of overburdened healthcare provider organizations.
“Finally, after more than a decade of pressure from cybersecurity leaders and healthcare providers, manufacturers of medical devices are to be held to a much higher standard of security design, manufacture and support of the devices they produce and sell, or lease to providers,” said Staynings.
Companies that are interpreting the announcement as a delay or that want to drag their feet on implementing these challenges have likely failed to allocate the resources to meet these new requirements, and “they're terrified to go back to their senior leadership and say, ‘Oops, we goofed, we didn't allocate resources, we need money now,’” said Naomi Schwartz.
Some may have received a budget to account for security, but perhaps misallocated it and may need to revisit the board for more funding, she added. At the end of the day, “burying your head in the sand is not going to work.”
Manufacturers may want to “push the can down the road for six more months.” But what happens when the FDA rejection letter comes and says they need a redesign and not just new documentation or rationales because certain elements are unacceptable, posited Naomi Schwartz.
The deadline means it will be “awfully hard to wiggle out” of failed security measures. She stressed that it means vendors will need to have justifications, planning for when security gaps will be met, expected changes, and even some “immediate hardening.”
“The FDA is not going to accept your excuses anymore,” said Naomi Schwartz. “It's been pretty clearly explained for several years and draft guidance on what the FDA’s expectations are moving toward. They went from nine pages of premarket guidance in 2014 to 49 pages and 2022. They're not playing around. It's time to get on board or quit selling devices.”
What manufacturers can expect moving forward
In the last seven years, the FDA has continued to shape and develop its voluntary guidance. With its announcement, the agency shared in-progress guidance and encouraged industry feedback to shape the upcoming mandatory device requirements.
The framework, and all its requirements for device manufacturers, will be finalized in two years. And “there’s certainly a need for clarity,” explained Naomi Schwartz.
Not only will devices need to be designed with security in mind, they’ll also need to include an SBOM of the components contained within the device, as well as the testing and disclosure of any known vulnerabilities, explained Staynings, who’s also the chief security strategist of medical device company Cylera.
That means, “no longer can manufacturers simply produce devices and move onto the next innovation,” he explained. “They now have a legal duty of care to support those devices they produce from now on.”
The addition of the SBOM requirement “sets a new standard of acceptance by the FDA,” Staynings continued. “Devices submitted that do not adequately demonstrate adherence to the new requirements will likely be refused acceptance and will not be cleared for use.”
Over the next six months, manufacturers can expect to see pushback from the FDA when submitting new devices. Indeed, there’s evidence to suggest the agency is already bouncing some applications and providing support for those manufacturers.
And even if the FDA previously approved a device, the new requirements means there’s no guarantee that will happen this time around, explained Kijewski. “A lot of these companies aren’t going to believe it until they see it either directly, or see direct evidence.”
Of course, the new requirements “only impact new devices being submitted for approval,” Staynings added. “With a lifespan between eight and 20 years, legacy medical devices will be a feature of hospitals and other providers for many years to come.”
There are millions of these devices, many of which are “considered a security risk in today’s already vulnerable connected digital healthcare networks,” he concluded. “This means that providers will need to continue to employ compensating IoMT security controls and wide scale use of micro-segmentation of at-risk medical devices with network access controls (NAC) and software defined networking.