The FDA gained new authorities to establish medical device security requirements for manufacturers in the omnibus package approved in December by Congress. (Photo by Sarah Silbiger/Getty Images)

For the last decade, healthcare provider organizations have borne the brunt of securing the expansive, complex medical device ecosystem. And most of even the best-equipped health systems struggle (and don’t) close all medical device security risks.

But all that may soon change, at least for premarket device submissions.

The sweeping $1.7 trillion omnibus package passed in December included measures that give the FDA new authorities to establish medical device security requirements for manufacturers, which has led to overwhelming praise from the healthcare sector.

The omnibus included “long desired FDA authorities” previously left out of the continuing resolution, said Carter Groome, CEO of First Health Advisory. Some of these requirements for premarket submissions were included in the Protecting and Transforming Cyber Health Care (PATCH) Act, which heralded broad support from industry stakeholders.

The last FDA appropriations bill passed in September without PATCH Act elements, despite overwhelming bipartisan support — much to the chagrin of medical device security leaders. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act. 

“Although watered down from PATCH Act asks, it’s a big step forward for health sector resilience and ultimately the safety of people reliant on the integrity and availability of medical devices,” said Groome, who’s also a post-market medical device security advisor and member of the Health Sector Coordinating Council (HSCC).

But even the smallest step on healthcare cybersecurity is a huge win for provider organizations.

Specifically, the law gives the FDA $5 million and the authority to ensure all new medical devices brought to market are designed with security in mind. That means, in the near future, all medical device submissions will be required to include a software bill of materials and adequate evidence to demonstrate the product can be updated and patched.

These submissions must also include a description of security testing and controls.

From an outside perspective, it may appear as if manufacturers may be blind-sided by the upcoming shift. However, “neither the Patch Act nor HR2617 should be a surprise to anyone,” said Richard Staynings, professor of information & communications tech, health informatics, healthcare management at the University of Denver.

These vendors should have been “well aware of what is needed from them to secure their products and should have been working towards these goals for many years already,” he added.

To Staynings, who is also the chief security strategist of medical device company Cylera, the inclusion of device requirements is “a very welcomed development by the cybersecurity community, including the many security vendors who support healthcare.”

“Together these legislative changes should go a long way to plug some of the holes seen in healthcare targeting by cybercriminals and pariah nation states going back many years,” Staynings told SC Media. “The FDA is now finally empowered to secure medical devices and other healthcare IoT.” 

“Manufacturers will be required to demonstrate ‘reasonable assurances and effective security plans’ to FDA as part of their product submission,” he added.

As industry stakeholders watch for the law’s impacts to unfold, including possible increases in manufacturer costs, SC Media spoke with Staynings to further discuss what manufacturers should be doing now to prepare for these sweeping changes.

New authorities means improved medical device security

The law also empowers ongoing work to bolster healthcare cybersecurity through the partnership of the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, explained Staynings.

Within the next two years, the FDA and CISA must work together to define these security requirements, as risks and threats continue to evolve. The idea is to “combine the domain expertise of the FDA around the safety of medical devices with the domain expertise of CISA to better protect medical devices from cyberattack,” said Staynings.

One of the drawbacks, however, is that much of the law centers around pre-market requirements, some of which modify the most recently published FDA Pre-Market Guidance from April 2022. 

It’s an important piece of the puzzle but “not a homerun” due to the continued “legacy of non-binding recommendations,” said Groome. In contrast, the ideal scenario would move beyond recommendations to a set of requirements across the board.

The law may not be a grand slam, but it’s certainly “a double.” Groome said he believes there will be an impact on medical device security, unimaginable even a year or two ago, as manufacturers will now need to take monitoring, identifying and addressing post-market vulnerabilities more seriously.

“The expectation is the health sector will be better prepared to mitigate device downtime risk, more efficiently coordinate with manufacturers, and validate baselines and get patches or updates more quickly,” he continued.

Manufacturers were asked for more skin in the game, now it's a requirement

The FDA has long-noted that it’s simply not waiting to act on the patient safety risks posed by vulnerable devices. Even before these new authorities, the agency took a number of steps that suggested a shift to require the inclusion of an SBOM with each device to overhaul the current status quo.

Some security leaders have expressed concerns that many providers are ill-equipped to fully leverage SBOMs, but the inclusion will still have a sweeping impact on the risk assessment challenges currently facing these organizations.

Namely, by having to disclose a full SBOM, “manufacturers will no longer be the single source of truth, and consequently, the single point of failure,” said Staynings. SBOMs will support identification of vulnerabilities commonly used in applications and the underlying operating systems.

For example, Windows XP is embedded in many medical devices today despite its end-of-life status,” he continued. The FDA has requested this information from manufacturers since 2018, but many have dragged their feet on providing “full transparency for fear of disclosure to other manufacturers."

As the FDA is now empowered “to demand publication” of SBOMs, manufacturers that have resisted change will now be forced to make changes in order to operate in the healthcare space.

The agency will likely publish a date in the future that will outline when manufacturers must comply with the new rules, or risk having the device sent back to resolve any deficiencies. What’s unclear, as suggested by Groome, is what will be done for current and recently approved devices.

In particular, questions remain for how long the FDA will allow the manufacture and sale of these devices if they do not meet the new rules, Staynings explained. It’s also unclear how the FDA will handle “post-market manufacturer support of current and legacy systems and whether SBOMs and a coordinated disclosure of vulnerabilities will be required.”

It’s likely these questions will be answered in the forthcoming rules, which Staynings said he believes won’t take long to publish as these market shifts have been in the works for many years. The FDA also had “ample time to review the final version of the Patch Act from 2022 and to consider how it will enforce the act’s requirements.”

“Manufacturers have had many years — if not the better part of a decade — to prepare for these changes. Some, however, have chosen to ignore the security tsunami heading their way and will not be prepared,” said Staynings. “They will likely petition for delays in the enforcement of rules so they can continue to sell their insecure medical devices.”

“Unfortunately, the power of the healthcare lobby is such that tardy or negligent manufacturers may get away with it for some time, at the expense of hospital cybersecurity and patient safety,” he concluded.