Many existing medical devices operate on legacy systems, which makes them difficult to maintain and vulnerable to manipulation by hackers. In recent years, researchers have discovered numerous security vulnerabilities within medical devices that have highlighted the need for improved standards and more stringent regulations.
Legislators around the world have begun to respond, and as such, there’s a growing need for a focus on cybersecurity risk management during the design and development of medical devices.
In our topical article below, our Head of eHealth Paul Gardner shares an outline of the latest proposed EU and US legislation, as well as some recommendations for addressing the upcoming rules.
In April this year, US Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced the Protecting and Transforming Cyber Health Care (PATCH) Act with the aim of ensuring medical device security at the premarket stage. Representatives Michael C. Burgess (R-TX) and Angie Craig (D-MN) introduced companion legislation in the House of Representatives.
The bill states that the PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes”.
The PATCH Act would define the implementation of critical cybersecurity requirements for medical device manufacturers applying for premarket approval through the FDA, and require manufacturers to design, develop, and maintain updates and patches throughout the lifecycle of their devices.
Manufacturers would also have to create a comprehensive plan to address post-market cybersecurity vulnerabilities in a timely manner, and be required to create a software bill of materials (SBOM) for their products and components (an SBOM makes it easier to monitor vulnerabilities and understand dependencies across components in an application).
In May, the European Commission announced the political agreement reached between the European Parliament and EU member states on the NIS2 Directive.
Initially proposed by the EU Commission in December 2020, the NIS2 Directive outlines measures for a common level of cybersecurity throughout the EU.
Thierry Breton, European Commissioner for the internal market, emphasised the significance of this political agreement by stating how the Directive would modernise rules to secure more critical services for society and the economy.
NIS2 replaces the NIS Directive, which was adopted on July 6, 2016, and sets forth the EU’s current rules on the security of network and information systems.
Operators of essential services and providers of digital services (including enterprises in the energy, transportation, banking, financial market infrastructures, healthcare, and digital infrastructure sectors) must comply with several security regulations laid out in the Directive such as securing their network and information systems, ensuring service continuity, and notifying their authority of any security incidents that have a significant impact.
June saw the US Congress vote to approve a bill that requires the FDA to guarantee cybersecurity throughout the lifetime of medical devices – ensuring that medical device manufacturers meet defined minimum cybersecurity requirements set by the agency.
The Food and Drug Amendments of 2022 (H.R. 7667) expands requirements related to the overall supply chain for drugs and devices, including improving cybersecurity at the manufacturing level. The minimum requirements that manufacturers of medical devices will have to meet include:
The recently introduced Strengthening Cybersecurity for Medical Devices Act calls on the FDA to review and update its medical device security guidelines more frequently.
Introduced by Senators Jacky Rosen (D-NV) and Todd Young (R-IN), the bipartisan legislation would specifically require the FDA to work with the Cybersecurity and Infrastructure Security Agency (CISA) to review industry guidance, make appropriate updates every two years, and provide the industry with new information on improving the cybersecurity of medical devices.
This new information would include guidance on identifying and addressing medical device security vulnerabilities and would explain how providers, health systems, and medical device manufacturers can effectively get support from CISA, HHS, and other government entities.
In addition, the act would require a report from the Government Accountability Office (GAO) describing the challenges that providers, health systems, and manufacturers face in accessing federal support when addressing medical device security vulnerabilities.
These legislative efforts will transform how manufacturers secure medical devices and how national agencies help healthcare stakeholders navigate medical device security. That said, the legislative process is lengthy, so manufacturers should be proactive with their implementation of cybersecurity best practices to mitigate risk. To that end, here are some recommendations:
Cybersecurity for medical devices is an evolving topic and a global issue. Whilst this article focuses on the EU and US, it’s important to note that Canada, Australia, Singapore, Brazil, and many other countries have also begun to introduce enhanced cybersecurity legislation.
Our eHealth team stays up-to-date with the latest global developments, so if you have a cybersecurity-related challenge, please feel free to get in touch. And for more Congenius articles on cybersecurity for medical devices, take a look here.