Cyber Vulnerabilities in Medical Devices Put Patients at Risk

The Food and Drug Administration (FDA) closed the public comment period earlier this month on draft cybersecurity guidance for new medical devices after receiving more than a thousand comments from patients, device manufacturers, and other healthcare sector stakeholders. Aimed at manufacturers seeking FDA approval for new devices, this guidance fails to address the bigger challenge the FDA has identified: securing devices already in use, including those already inside patients. 

The FDA released its draft guidance in April. The new guidance updated a 2018 FDA draft addressing how medical device manufacturers should incorporate cybersecurity into the design, operation, and maintenance of a device throughout its lifecycle prior to submitting the product for FDA approval. Suzanne Schwartz, director of the FDA’s Office of Strategic Partnerships and Technology Innovation, noted, “The intent is to enable devices to be that much more resilient to withstand the potential for cyber exploits or intrusion.” 

The new draft guidance includes a welcome requirement that manufacturers supply a Software Bill of Materials (SBOM) with all new products. SBOMs provide needed transparency enabling end users, including patients and hospitals, to quickly identify if their products contain vulnerabilities that hackers might exploit to compromise the proper functioning of life-sustaining devices. Bipartisan legislation pending in Congress would mandate this requirement, and others, for new devices.  

While the draft guidance signals the FDA’s continued commitment to promoting better cybersecurity, it does not address the issue of “legacy outdated software that is difficult to keep secure” — one of the greatest long-term cybersecurity risks, according to the FDA’s Kevin Fu, who served for one year as its acting director of medical device cybersecurity. White-hat hackers have consistently found vulnerabilities in medical devices such as pacemakers and insulin pumps that are already on the market today.  

Although the FDA has issued warnings about some of these vulnerabilities, it has not updated its guidance for post-market cybersecurity since 2016, well before ransomware actors began targeting healthcare systems. Another piece of bipartisan legislation pending in the Senate would require the FDA to update annually its publicly available information about medical device cybersecurity.  

While Schwartz said the FDA has no plans to update the 2016 guidelines, the agency appears poised to address legacy challenges. The FDA’s fiscal year 2023 budget request proposes a 1,000 percent budget increase for medical device security, from $500,000 to $5.5 million — which includes funding for six new staff. Jeffrey Shuren, director at the FDA’s Center for Devices and Radiological Health, testified before the Senate that the FDA also wants additional “authorities to ensure that these devices are cyber safe.” 

Meanwhile, the intra-industry information sharing body, the Health Information Sharing and Analysis Center, has announced its first-ever director of medical device security, Phil Englert, signaling the sector’s prioritization of this issue.  

To prioritize cybersecurity for in-use medical devices, public-private collaboration as well as legislation and regulation will need to incentivize manufacturers to upgrade or replace medical devices with inadequate cybersecurity measures. The healthcare sector, however, will also need to grapple with how to safely balance cyber risk with patient health, particularly when evaluating legacy devices in tens of thousands of patients that cannot be retrofitted to adequate cybersecurity standards. 

Failing to resolve these post-market challenges appropriately will leave patients and healthcare centers across the country vulnerable to malicious cyber actors. 

Annie Fixler is a research fellow at the Foundation for Defense of Democracies (FDD) and deputy director of FDD’s Center on Cyber and Technology Innovation (CCTI), where Erik Thomas is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.