Many existing medical devices operate on legacy systems, which makes them difficult to maintain and vulnerable to manipulation by hackers. In recent years, researchers have discovered numerous security vulnerabilities within medical devices that have highlighted the need for improved standards and more stringent regulations.
Legislators around the world have begun to respond, and as such, there’s a growing need for a focus on cybersecurity risk management during the design and development of medical devices.
In our topical article below, our Head of eHealth Paul Gardner shares an outline of the latest proposed EU and US legislation, as well as some recommendations for addressing the upcoming rules.
April 4, 2022 | US Senators introduce PATCH Act
In April this year, US Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act with the aim of ensuring medical device security at the premarket stage. Representatives Michael C. Burgess (R-TX) and Angie Craig (D-MN) introduced companion legislation in the House of Representatives.
The bill states that the PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes”.
The PATCH Act would define the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the FDA, and require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices.
Manufacturers would also have to create a comprehensive plan to address post-market cybersecurity vulnerabilities in a timely manner, and be required to create a software bill of materials (SBOM) for their products and components (an SBOM makes it easier to monitor vulnerabilities and understand dependencies across components in an application).
May 13, 2022 | EU Commission announces agreement on NIS2 Directive
In May, the European Commission announced the political agreement reached between the European Parliament and EU member states on the NIS2 Directive.
Initially proposed by the EU Commission in December 2020, the NIS2 Directive outlines measures for a common level of cybersecurity throughout the EU.
Thierry Breton, European Commissioner for the internal market, emphasised the significance of this political agreement by stating how the Directive would modernise rules to secure more critical services for society and the economy.
NIS2 replaces the NIS Directive, which was adopted on July 6, 2016, and sets forth the EU’s current rules on the security of network and information systems.
Operators of essential services and providers of digital services (including enterprises in the energy, transportation, banking, financial market infrastructures, healthcare, and digital infrastructure sectors) must comply with several security regulations laid out in the Directive such as securing their network and information systems, ensuring service continuity, and notifying their authority of any security incidents that have a significant impact.
June 8, 2022 | US Congress approves Food & Drug Amendments of 2022 bill
June saw the US Congress vote to approve a bill that requires the FDA to guarantee cybersecurity throughout the lifetime of medical devices – ensuring that medical device manufacturers meet defined minimum cybersecurity requirements set by the agency.
The Food and Drug Amendments of 2022 (H.R. 7667) expands requirements related to the overall supply chain for drugs and devices, including improving cybersecurity at the manufacturing level. The minimum requirements that manufacturers of medical devices will have to meet include:
- Establishing plans to monitor, identify, and address cybersecurity vulnerabilities and exploits
- Designing, developing, and maintaining processes and procedures to ensure devices and related systems are secure
- Making available timely updates and patches to the device throughout the lifecycle
- Providing labelling of medical device software bill of materials, including commercial, open-source, and off-the-shelf software components
June 14, 2022 | US Senators introduce Strengthening Cybersecurity for Medical Devices Act
The recently introduced Strengthening Cybersecurity for Medical Devices Act calls on the FDA to review and update its medical device security guidelines more frequently.
Introduced by Senators Jacky Rosen (D-NV) and Todd Young (R-IN), the bipartisan legislation would specifically require the FDA to work with the Cybersecurity and Infrastructure Security Agency (CISA) to review industry guidance, make appropriate updates every two years, and provide the industry with new information on improving the cybersecurity of medical devices.
This new information would include guidance on identifying and addressing medical device security vulnerabilities and would explain how providers, health systems, and medical device manufacturers can effectively get support from CISA, HHS, and other government entities.
In addition, the act would require a report from the Government Accountability Office (GAO) describing the challenges that providers, health systems, and manufacturers face in accessing federal support when addressing medical device security vulnerabilities.
Recommendations for addressing the legislation
These legislative efforts will transform how manufacturers secure medical devices and how national agencies help healthcare stakeholders navigate medical device security. That said, the legislative process is lengthy, so manufacturers should be proactive with their implementation of cybersecurity best practices to mitigate risk. To that end, here are some recommendations:
- Manage your risks: Develop a cybersecurity risk management process in parallel with your conventional device risk management processes.
- Secure your designs: Build cybersecurity controls into the design stages of your development process. Your design options should maximise cybersecurity without hindering the safety aspects of your device. Develop a lifecycle plan for your devices to ensure you can support updates, patch vulnerabilities, and decommission outdated or obsolete devices.
- Verify and validate your devices: Test your devices to ensure they meet the design requirements for security. Conduct cybersecurity tests, such as penetration testing and vulnerability scanning, which effectively demonstrate that your devices meet cybersecurity requirements.
- Monitor your deployed devices: Track and report any vulnerability that could impact your medical device. Provide patches and updates regularly to ensure your devices are secure and clear of exploitable vulnerabilities. Consider implementing a risk-assessed software update process into the device.
- Secure your development & production platforms: Implement the necessary security and privacy controls on your cloud platforms to ensure data and devices are protected. For example, ensure you have a robust backup process in place and use Multi-Factor-Authentication on all systems and applications to ensure data integrity and safety.
Cybersecurity for medical devices is an evolving topic and a global issue. Whilst this article focuses on the EU and US, it’s important to note that Canada, Australia, Singapore, Brazil, and many other countries have also begun to introduce enhanced cybersecurity legislation.
Our eHealth team stays up-to-date with the latest global developments, so if you have a cybersecurity-related challenge, please feel free to get in touch. And for more Congenius articles on cybersecurity for medical devices, take a look here.