Healthcare industry stakeholders have long stressed the challenges of securing the medical device ecosystem. One CISA leader thinks the FDA should create cybersecurity requirements for manufacturers to protect patient safety. (Photo by Hristo Rusev/Getty Images)

The Food and Drug Administration should implement policies that enforce cybersecurity requirements on medical device manufacturers to make devices more secure while making it easier for healthcare entities to secure the medical device ecosystem.

Daniel Bardenstein, lead technology and cyber strategy lead for the Cybersecurity and Infrastructure Security Agency (CISA), presented his proposal during an Aspen Institute fellowship presentation on Feb. 2.

During his tenure as the cybersecurity lead of Operation Warp Speed, the federal government’s COVID-19 vaccine initiative, Bardenstein saw first hand the “frightening state of security across our healthcare system, particularly in smart or connected medical devices.”

The discovery prompted Bardenstein’s focus during his Aspen Institute fellowship: What policy levers should the government make to better secure medical devices?

The FDA is tasked with regulating medical device cybersecurity, releasing a cybersecurity playbook for medical devices in 2018. The guidance has helped manufacturers and developers with vulnerability disclosures, while informing providers on best practices.

However, long standing issues remain. Healthcare industry leaders have long chastised the current state of medical device security, with an understanding that the complexity of the device ecosystem, inventory challenges, and issues with vendor or manufacturer controls make it difficult to secure these highly vulnerable devices.

As noted during the Defcon Biohacking Village over the summer, the FDA, manufacturers and hospitals are all struggling to keep pace with moving the needle on device security. The consensus is that most providers are forced to simply live with a certain amount of risk.

Bardenstein’s proposal would take the fight directly to the FDA, pressing the agency to require medical device manufacturers to implement basic cyber protections across all their devices and mandate that these vendors make it easier for hospitals and other providers to secure their devices.

Establishing a “cyber baseline” for device manufacturers

In the U.S. alone, there are an estimated 15 million connected devices, or about 20,000 medical devices per hospital. These numbers are expected to continue to rapidly rise over the next 10 years. These also include devices used by patients and providers in remote care outside of the hospital setting.

While medical devices have greatly improved remote care, Bardenstein stressed that as much as half of these devices “are trivially easy to hack by a malicious hacker.” And in many cases, patient lives depend on these devices.

“When we're talking about securing medical devices, we're really talking about securing patients and saving lives,” said Bardenstein.

“So why are medical devices so unsecured?” As stakeholders consistently note, most were not designed with security in mind. But many legacy devices continue to operate as expected, so most providers won’t consider replacing these tools with newer, more secure options.

That’s where the FDA should come in: with the development of a cyber baseline to create mandatory protections for all medical devices, he explained. The policy would mirror that of common safety features required in the auto industry.

As noted, the current cybersecurity guidance from the FDA was finalized four years ago and where manufacturers obtain needed device cybersecurity insights and requirements. But Bardenstein argues that it’s now “slightly outdated” and “contains non-binding recommendations with a lot of ambiguity.”

In short, “it’s unclear to manufacturers what’s actually required for their devices to get FDA-approval,” he argued. “The interpretation is up to the manufacturers in terms of which things they actually need to implement into their medical devices and how they implement those security features into the medical devices.”

Bardenstein’s proposal developed a baseline of cybersecurity protections that the FDA should include in their upcoming guidance, which could create clear requirements, specifics where appropriate, “so it makes it easier for everyone to rely on the same standards.”

The standards include new modern protections that weren’t included in the previous FDA guidance.

Device Query Interface

The FDA should also require manufacturers to build a safety feature into their devices that Bardenstein called a “device query interface,” which will make it easier for hospitals to secure these devices. More specifically, it would allow hospital security leaders to “go under the hood and get a sense of whether the device is functioning well or secure.”

As previously noted, most provider organizations find it incredibly difficult to make repairs or look into device functionality, as it could void the vendor contract. As Bardenstein put it, many of the critical security features built into the products of other industries are “largely absent in the current medical device landscape.”

Bardenstein proposes that hospitals should be able to physically review the device to determine the health or status, including whether it’s vulnerable to cyberattacks. At the current state, device checks are performed using tools that “effectively blast a medical device with lots and lots of requests, asking about health status, are you vulnerable, what software is running, etc.”

The problem is that these devices are very fragile and “this amount of traffic can easily overwhelm medical devices and can essentially cause them to fail.” And if a patient is connected to that device on the other side, it could impact their safety.

As a result, many hospitals aren’t able to form this basic cybersecurity practice of “going under the hood,” creating security blind spots. And even without these checks, the devices are still operating on the network, even with known or unknown issues or vulnerabilities.

Bardenstein’s proposal for a device query interface would tackle this challenge. Calling it a “very lightweight” feature, it could be built into medical devices and reduce this risk. 

“I like to think of it like a digital concierge in a hotel,” he explained. For example, instead of knocking on every door to find your friend staying in a hotel, there’s a concierge up front “where you can ask a question and very quickly get back an answer.”

For Bardenstein, the interface could minimize the risk of malfunctions to the device, or even to the patient, allowing hospitals to have greater visibility into the security, function, and vulnerability of the device to prevent cyberattacks.

“Now is a fantastic and urgent time for the FDA to act,” said Bardenstein. As the agency works on the update to its guidance, due later this year, the hope is “that they consider these specific proposals and incorporate them into that guidance.” At the end of the day, the more secure medical devices are made, the more attacks healthcare can successfully prevent or mitigate.

“Hospitals under attack can cause delays in care, which can ultimately result in patient deaths or other impacts to patient safety,” he continued. “As medical devices continue to proliferate, FDA has the opportunity to build and maintain patient trust.”