Alongside technology innovations and the frequent electronic exchange of health information, cybersecurity for medical devices and equipment has become a top priority for healthcare providers. Life sustaining medical devices, such as ventilators and infusion pumps, are now connected wirelessly to a variety of systems, networks and other tools within a hospital – ultimately contributing to the Internet of Medical Things (IoMT) and presenting potential points of breach as well as incremental costs and operating risk to providers.
Patient care disruptions and safety issues related to medical device security vulnerabilities are a critical concern as the number of IoMT medical devices is expected to skyrocket from 10 billion to 50 billion over the next decade. These cyberattacks not only threaten patient privacy and clinical safety and outcomes, but also a hospital’s financial resources. According to a recent report, the average breach costs in healthcare surpassed $10 million in 2022, with the industry maintaining its top rank for costliest industry breaches for the 12th consecutive year. Alongside direct costs related to a breach, providers may see added costs in hardware, software, firmware and labor.
It’s vital that manufacturers incorporate and sustain industry-identified cybersecurity best practices and data management controls over the reasonable economic life of IoMT devices and equipment. Hospitals today are taking critical security steps to safeguard clinical technologies, information systems and their network environment(s) while enhancing data protection capabilities – but cooperative and accountable action with manufacturers is necessary to further reduce cyber vulnerabilities and the unsustainable costs they drive.
A collaborative effort
Cybersecurity risk management for medical devices is a shared responsibility among manufacturers and healthcare providers to address patient safety risks and ensure proper device performance.
Historically, however, several factors have introduced and sustained ambiguities in this accountability, including misaligned expectations on cybersecurity controls and management throughout a device’s lifecycle, which is often ill-defined by the manufacturer. A lack of clear manufacturer-defined guidance on security requirements for devices, both new and old, is particularly problematic for providers when considering the comparative accountability for risk associated with non-compliance.
Beginning to reconcile these issues starts with strong partnerships between manufacturers and health systems to ensure cybersecurity objectives and expectations are clearly outlined and agreed upon within the larger context of a sustainable economic environment.
Specific cybersecurity verbiage in contracts helps mitigate risk and keeps device manufacturers accountable for their role in the security management process. An effective model contract language and process needs to communicate baseline cybersecurity control expectations that manufacturers must formally attest to as conditions of sale/usage. This approach also requires manufacturers to provide a pre-distribution device designed with the goals of:
- Reducing cybersecurity intrusion and misuse;
- Improving availability, reliability and accuracy;
- Adhering to generally accepted security procedures over the anticipated lifespan of the device or equipment; and
- Proactively providing a Software Bill of Materials (SBOM) for all firmware and software associated with the use of the device or equipment.
Upfront collaboration and alignment between manufacturers and health systems during the sourcing process provides much-needed clarity for both parties on agreed-upon objectives and control assurances. Device manufacturers, for instance, can affect and improve the protection of systems, data and patient safety by incorporating technical safeguards during the product design phase – and by performing risk assessments and threat models for each use case involving IoMT medical devices to help identify potential safety risks.
At this stage, a uniformly accepted concept of value for the device or equipment is paramount. The concept of selling for features and replacement must be replaced with functions that are measured against sustainability and value delivery over the device’s lifecycle – enabling providers to eliminate waste, reduce costs and protect patients. Following these assessments, implementing cybersecurity controls and collaboratively managing dynamic standards throughout the lifecycle of a device, from procurement to disposal, is critical for safe use.
The information and transparency provided early in the purchasing process can help health systems make informed decisions on which devices to procure and integrate into their systems – with the goals of both delivering high-quality patient care and decreasing cyber risks. For example, a buyer would want to know if an otherwise brand-new IoMT device incorporates a component technology that was designed a decade ago and has not been upgraded to present-day cybersecurity standards. Manufacturers must share with health systems the responsibility for safeguarding the confidentiality of patient data, maintaining data integrity, and ensuring the continued availability and functionality of the device system itself.
Policy proposals look to enhance security protections
As a regulator, the FDA has a leadership role in creating expectations that manufacturers will proactively minimize risk by building cybersecurity into products by design, providing security tools to health systems, and updating and patching devices as new intelligence and threats emerge.
The passage of the Protecting and Transforming Cyber Health Care (PATCH) Act of 2022, as part of the Consolidated Appropriations Act of 2023, makes vital improvements to the FDA’s oversight of medical device cybersecurity by holding manufacturers accountable for developing products with appropriate security controls. The bill enables manufacturers to design, develop and maintain processes and procedures to provide updates and patches throughout the lifecycle of their devices. Essential to the success of this process is real-world alignment in how a manufacturer and provider define the lifecycle of a type of device or equipment. The bill also includes key provisions on monitoring and identifying post-market vulnerabilities, developing a plan for coordinated vulnerability disclosure and providing an accounting of all software contained in a device.
While recent Congressional action represents a notable step in the right direction, further progress is needed to reduce cybersecurity risk.
Additional Congressional action in the 118th Congress could incent increased collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as the development of educational materials and training for health systems and providers.
Under FDA regulations, manufacturers of newer devices must disclose vulnerabilities as they are discovered, but older legacy devices remain a critical vulnerability. Given their useful lifespans, many legacy devices were not built with cybersecurity in mind and may use outdated or insecure software, hardware and protocols – making them difficult to patch and leaving them vulnerable to attack.
Regulators should also consider revisiting the landscape for security breach penalties. For example, the FDA and one large device manufacturer worked together to identify, communicate and prevent adverse events related to a cybersecurity vulnerability with a specific series of the manufacturer’s insulin pump system. Manufacturer testing found that with unauthorized access, the pump’s communication protocol could be compromised, which may cause the pump to deliver too much or too little insulin. While the manufacturer worked collaboratively with the FDA to provide notification, had a breach occurred, the penalties would have inequitably been applied to the hospital. At the same time, it is not feasible for a hospital to purchase all new insulin pumps overnight given ongoing financial constraints.
Penalties should be proportionally applied to the product manufacturer and the health system experiencing the breach based on their relative contribution to the breach’s root cause and using objective industry best-practices as the standard. Manufacturers selling a device marketed to function technically in a defined manner should assume greater responsibility when a risk is identified that compromises the technical solution that they marketed and sold. In many instances, this accountability falls inequitably on the provider. And further, we encourage the FDA to expeditiously finalize guidance documents related to cybersecurity of medical devices to quell any confusion regarding their applicability and enforceability, as well as ensure sufficient staffing and expertise to help enforce this guidance and the recently passed provisions of the PATCH Act.
While cybersecurity incidents are a continual threat to the U.S. healthcare industry, healthcare providers, medical device manufacturers, and lawmakers and regulators have made considerable progress in defending networks, securing data and protecting patients. With greater collaboration, predictability and consistency in cybersecurity management, together we can make even greater strides toward patient safety and a more secure and sustainable healthcare system.
Photo: manop1984, Getty Images