by Barry Manz, Editor, Microwave Product Digest
Like virtually everything else that can be made “connectable,” IoT is transforming the healthcare industry, allowing healthcare professionals to access and exchange patient data and monitor patient health remotely, among many other uses. But it also poses significant security threats that can compromise patient privacy, data confidentiality, and system integrity.
In fact, healthcare facilities and organizations are the second-most attacked industry. From 2016 to 2021, the annual number of ransomware attacks more than doubled and disrupted the delivery of healthcare, stole millions of patient records, and only one in five victims was able to restore data from backups. The largest breach last year was of CommonSprit Health Systems, the country’s second-largest private healthcare chain, which compromised the personal information of 632,000 patients.
One of the primary security risks associated with wireless connectivity is the potential for unauthorized access to patient data. Wireless networks are inherently less secure than wired networks (although they can be hacked), and data transmitted over wireless networks can be intercepted by attackers who gain access to the network.
Another security concern associated with wireless connectivity is the proliferation of unsecured devices. IoT devices often lack adequate security measures, making them easy targets for cyberattacks. When these devices are connected to the healthcare network, they can provide a potential entry point for attackers to gain access to sensitive patient data and other healthcare information.
Finally, wireless connectivity also increases the risk of insider threats. Healthcare employees with access to the wireless network can potentially misuse patient data or compromise network security, either intentionally or inadvertently.
In summary, while wireless connectivity has many benefits for the healthcare industry, it also presents significant security risks that must be carefully managed to protect patient data and maintain the integrity of healthcare systems.
The issue hasn’t escaped attention from agencies such as the FDA, federal law enforcement, and Congress, and the first steps toward addressing healthcare security have been taken. However, navigating the regulatory landscape is not for the faint of heart because it’s a long, winding road of security recommendations from the FDA, congressional legislation, and the yearly race to pass the next year’s federal budget. That also includes funding for the FDA, which has no law-making ability and only makes recommendations that are typically incorporated in legislation and federal laws.
Since 2014, the FDA has been issuing recommendations concerning cybersecurity for the healthcare industry, each recommendation updates its predecessor to address the rapidly evolving threat landscape. This work resulted in a 49-page document called “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and Food and Drug Administration Staff.” It is very comprehensive and focuses on the deployment of mitigations using a total product lifecycle (TPLC) approach and recommends dozens of actions the industry should adopt.
Last April, Senators Bill Cassidy and Tammy Baldwin introduced the Protecting and Transforming Cyber Health Care (PATCH) Act whose intention was to ensure medical device security during development (the premarket stage). A companion bill was introduced in the House by Representatives Michael Burgess and Angie Craig. The PATCH Act would have amended the Federal Food, Drug, and Cosmetic (FD&C) Act to require the inclusion in submissions for premarket devices information that demonstrates reasonable assurance of safety and effectiveness throughout the lifecycle of a device.
It would have changed the FDA’s voluntary guidance into a mandatory requirement with cybersecurity embedded in medical devices to be approved by the agency. Unfortunately, the Cassidy-Baldwin bill never came to a vote during the 2022 Congressional year, which ended this past January 3. However, there was still hope some of it could be retained for use at some point.
Last December, President Biden signed the Consolidated Appropriations Act for 2023 (the $1.7 trillion omnibus bill) that funds the federal government through September. It includes the Food and Drug Omnibus Reform Act (FDORA), a major addition to the amendments to the FD&C Act that directs manufacturers of “cyber devices” to develop plans to “monitor, identify, and address” cybersecurity vulnerabilities of marketed devices “in a reasonable time.”
Unfortunately, in the race to get the FDA funded for FY 2023 within the omnibus bill, the agency was forced to drop almost all its medical device cybersecurity requirements outlined in the FDA guidelines. Senate Republican leadership felt there was not enough time for legislators to review them fully and that they should be addressed separately.
However, the omnibus appropriations bill still includes some guidelines drawn up by the FDA. It retains the requirement for medical device manufacturers to ensure that their devices meet certain minimum standards for cybersecurity and submit a plan to the FDA to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits.
Manufacturers must also submit plans to the FDA for every new product application (i.e., a “premarket device submission”) that demonstrates how the device will address vulnerabilities. Patches to post-market software and firmware are also required. In addition, medical device manufacturers will be required to provide a Software Bill of Materials (SBOM) to the FDA that includes all off-the-shelf, open-source, and critical components used by the devices.
The bill further requires the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days of and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office (GAO) is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities and how federal agencies can strengthen coordination to improve the cybersecurity of devices.
Nevertheless, this still leaves medical device manufacturers in the unfortunate position of sorting out what’s required of them without a complete set of guidelines. For this, the industry will have to wait for these details to be created, reviewed, modified, submitted, entered into a bill in Congress, and presumably signed by the President. At the pace of government, this could be several years, but as the healthcare industry cannot wait for the federal government to slog through its bureaucratic morass, it must act now.
The Vague Definition of a Device
It’s unfortunate that the FDA and the government have adopted the vague definition of a cyber device being an end product that includes software, connects to the Internet, and contains technology that could be vulnerable to cybersecurity threats. Much of this language also focuses on software and does not directly address electronics with the “cyber devices label,” such as processors, radio transceivers, and many others. Instead, it assumes that these components would necessarily be designed to meet the regulations required of the end product.
Most engineers would likely take issue with such a stance because optimal cyber security can only be achieved if components such as microcontrollers, general purpose processors, FPGAs, and GPUs, alone or in combination, have been designed from their inception to be secure.
For example, manufacturers have taken great pains in recent years to make their products secure down to the die level and supplement this with multiple levels of encryption and other features because the components are, or can be, at the core of every “cyber device,” as defined by the FDA. Hopefully, the language the FDA uses in the future will address them.
The healthcare industry also faces the significant issue of legacy devices and medical equipment, as millions of both are either already in service or in production that may or may not meet the new cybersecurity mandates. Without federal funding, manufacturers of devices through healthcare systems will have to foot the bill for doing what’s necessary to ensure they have the highest level of cybersecurity. A thorough reading of the legislation does not reveal any language referring to “grandfathering in” existing equipment. However, it might be possible to gain an exemption on a one-by-one basis, which would be time-consuming and expensive.
No one doubts that the healthcare industry needs firm rules mandated rather than recommended in terms that are detailed enough for medical device manufacturers to follow. What’s been achieved so far is a good start, and with luck what was left out of the FDA guidelines will eventually be restored. Until then, manufacturers of devices used in medical equipment and the medical equipment itself must ramp up efforts to meet the requirements of existing law while anticipating further instructions will follow.