FDA cyber mandates for medical devices goes into effect

New regulations that went into effect on Sunday aim to make it more difficult to hack into medical devices by requiring vendors to beef up the security features of things like pacemakers and insulin pumps before they make it onto the market.

The regulations from the Food and Drug Administration mandate that vendors of medical devices create processes to find and mitigate vulnerabilities, create a software bill of materials and have a plan in place to address vulnerabilities for products after they have been sold.

The new rules empower the FDA to “refuse to accept” devices that don’t meet the agency’s cybersecurity guidelines, giving the agency a blunt tool to decrease the risk of vulnerable medical devices making it into the hands of consumers.

Beau Woods, co-founder of the I am The Cavalry grassroots hacking group, called the mandate a “carrot shaped stick.” If a company lacks mature cybersecurity policies or if its products include a significant vulnerability, the FDA can either prevent the device from being sold or can recall the device completely.

“For medical device makers, that’s a huge hit that could mean getting late to market, which could be millions of dollars a week or a month in revenue,” Woods said. “It’s a pretty significant change in the incentive structure.”

The change in the FDA regulatory regime comes amid a push by the Biden administration to sharpen cybersecurity regulations. The administration is pushing the manufacturers of products to take on greater responsibility for their cybersecurity. The FDA’s regulations for medical devices are at the forefront of that effort.

The FDA’s rules call on vendors to create a plan to monitor, identify and address cybersecurity vulnerabilities of devices already approved for sale and to patch devices for known unacceptable vulnerabilities on a “reasonably justified regular cycle” and to patch any bugs that might cause “uncontrolled risks” as soon as possible.

The new guidance applies to “cyber devices,” which broadly includes products that are connected to the internet, software products or software in devices and devices with technical characteristics that could be vulnerable to cyber threats.

While the regulations technically went into effect in March, the FDA gave device makers leeway until Sunday to prepare for the new rules. Passed into law as part of the 2022 omnibus appropriations bill, the FDA rules represent the first time since 2005 that Congress has authorized an agency to regulate the cybersecurity of the private industry it oversees.

The regulations aim to strengthen the security posture of the health care industry at a time when it is under a barrage of ransomware attacks. In 2022, the FBI issued an alert that medical devices suffer from an increasing number of vulnerabilities stemming from hardware design and software management and noted that more than half of the connected medical and internet of things devices in hospitals had known critical vulnerabilities.

The FDA is already working with medical device manufacturers to address cybersecurity vulnerabilities. In April, the agency worked with the biotechnology company Illumina to raise awareness about a recall for a series of gene sequencing devices featuring a vulnerability that would allow an attacker to take control of the devices remotely.

But the dire state of cybersecurity in the medical industry and the critical need to protect systems that care for human life has some experts arguing for the FDA to be more aggressive in policing the industry.

Sunday’s regulations call for “reasonable assurance” that the device is free of known unacceptable vulnerabilities, but David Brumley, a cybersecurity professor at Carnegie Mellon University and the CEO of the cybersecurity firm ForAllSecure, said this is “too low a bar.”

Medical device makers — particularly ones that have been around for decades — are in the midst of a digital transformation similar to other industries in which they are increasingly relying on software. While digitization and a focus on data may not be new, proactive cybersecurity defenses are lagging.

Brumley said that the makers of software that powers things like pacemakers should go above and beyond to ensure that their products are secure, especially when relying on open-source software packages that are often maintained by volunteers. “If you include something that’s open source that some developer created for free that you’re going to sell on the device, you should be on the hook for the security of it,” Brumley said.