Don’t wait for laws to protect medical devices

TRIMEDX Senior Vice President of Cybersecurity Scott Trevino recently contributed a piece in Quality Digest urging health systems to be proactive in protecting their medical devices and patients from potential vulnerabilities and threats. The published article, as it appeared on Jan. 18, 2023, is below.

Nearly a quarter of surveyed healthcare cyberattack victims experienced increased mortality rates following a data breach, and more than half reported poorer patient outcomes due to longer hospital stays and delayed procedures. Healthcare has faced the highest average data breach cost—more than $10 million—of any industry for the last 12 years. The evidence is clear: Action must be taken to better prevent breaches and improve patient safety.

Congress is considering medical-device cybersecurity legislation, but the process is arduous. With an average of two healthcare data breaches per day, healthcare systems can’t wait for bills to pass. And even if they passed immediately, the short-term effect would be minimal. Patients need cybersecurity for medical equipment now.

Why medical equipment?

An industry report conducted by Ponemon Institute reveals that healthcare organizations have an average of more than 26,000 network-connected devices and applications, and more than half have a known cyber vulnerability. These vulnerabilities are the primary way bad actors gain entry into a network. Yet only half of respondents in a 2022 cybersecurity survey included these assets in their cybersecurity strategy.

What action is the federal government taking?

The Senate Committee on Homeland Security and Governmental Affairs recommends the Senate pass the Healthcare Cybersecurity Act. The act requires the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity measures in hospitals and other medical facilities, and provide risk-mitigation training for healthcare personnel. The House passed the bill earlier this year.

This fall, Congress rejected an amendment to the Medical Device User Fee Act (MDUFA) that would have given the FDA authority to require device manufacturers to include certain cybersecurity information in their premarket submissions.

In May 2022, senators introduced the Strengthening Cybersecurity for Medical Devices Act. Under the proposal, the FDA must regularly update cybersecurity guidance, publish public information on resources and strategies to improve medical device cybersecurity, and issue a report identifying challenges in cybersecurity for medical equipment, including legacy devices.

Also being considered is the Protecting and Transforming Cyber Health Care (PATCH) Act. The legislation would require original equipment manufacturers (OEMs) to provide information on a connected medical device’s security before it goes to market, including disclosures of vulnerabilities and defined processes and procedures to make updates and patches available to the device throughout its life cycle. To date, PATCH has not moved forward.

The FDA is considering public comments on its highly anticipated draft guidance on medical device security, which instructs device manufacturers on how to approach cybersecurity for device design and associated premarket submissions. Under that guidance, OEMs would be required to create procedures to verify and validate a connected device’s design for a reasonable assurance of safety and effectiveness. The FDA recommends OEMs establish a secure product development framework encompassing all aspects of a product’s life cycle to reduce product vulnerabilities and satisfy medical device compliance safety requirements.

Should these proposals pass, they would better fortify medical devices against breaches. But healthcare systems must act now to protect their patients.

How can healthcare systems shore up their security?

Healthcare systems should evaluate and refine their cybersecurity strategy by addressing current risks and creating a real-time threat-monitoring protocol. The process requires collaboration between clinical engineering and IT teams.

The five tenets of the National Institute of Standards and Technology (NIST) cybersecurity framework lay out a strategy to get plans off the ground:

  1. Identify
    Cybersecurity teams must identify a complete inventory of devices and software. With a detailed and precise account of all devices and their individual attributes, teams can view the scope of risks and vulnerabilities to create an accurate risk profile. This step also involves knowing cybersecurity policies and legal requirements.
  2. Protect
    Organizations must enable safeguards to protect their network, including access control, identity management, staff training, information protection policies, and device vulnerability remediation.
  3. Detect
    Successful cybersecurity plans should define monitoring strategies to quickly identify threats, vulnerabilities, and breaches.
  4. Respond
    Prepare for a breach by creating and practicing a response action plan, and establish processes for remediating or mitigating known vulnerabilities.
  5. Recover
    Healthcare systems must create a strategy to restore services and capabilities affected by a cyberattack to enable a quick return to normal operations.

Using the complete inventory created in step one of the NIST framework, cybersecurity teams can evaluate a device’s vulnerability, risk, and impact on patient safety to create a risk gauge. A comprehensive medical device cybersecurity solution with technology-enabled assessment can raise preparedness by managing inventory and monitoring, and flagging vulnerabilities based on a system’s priorities.

The FDA just released an updated “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.” The document describes readiness activities that will enable healthcare systems to be better prepared for a cybersecurity incident involving medical devices. The updates emphasize the need for a diverse team, with clinicians, healthcare technology management professionals, IT, emergency response, and risk management staff participating in cybersecurity preparedness and response exercises. The FDA highlights considerations for dealing with widespread effects and extended downtime during cybersecurity incidents, and adds a resource appendix with tools and references.

As Congress moves closer to passing medical device cybersecurity laws, healthcare systems must implement their own protections now. The new legislation won’t close all access points, so a system-specific risk assessment and remediation strategy is still imperative to protect patient health and data.