Advances in technology continue to expand the promise and capabilities of medical devices. Previously limited to such basic items as bedpans, bandages, crutches, and wheelchairs, the category now encompasses technologies which were once unimaginable, including cardiac implantable electronic devices and closed loop artificial pancreas systems.

As medical devices become more sophisticated, the stakes of their potential failure increase. Moreover, as advanced devices become interconnected through shared networks, the risk of a single device’s failure extends beyond harm to an individual patient. One compromised device now has the potential to impact multiple patients or even entire health systems.

In response to the escalating potential for harm associated with cyber threats targeted at medical devices, Congress, the Food and Drug Administration (FDA), and other federal agencies have intensified their focus on cybersecurity, enacting legislative initiatives and establishing regulatory frameworks to mitigate risks. This governmental push towards stronger cybersecurity measures parallels the medical device sector’s own efforts to enhance the security of their products through the adoption of industry best practices.

Regulation of Medical Devices

The World Health Organization estimates that there are 2 million individual types of medical devices in existence. In the United States, FDA ensures the safety and efficacy of over 190,000 distinct devices under, as authorized by the Medical Device Amendments of 1976 to the Food, Drug and Cosmetic Act.

Per statute, FDA considers a medical device “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is … intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals.”

Within FDA, responsibility for the oversight of medical devices falls to the Center for Devices and Radiological Health (CDRH).[1]

CDRH classifies medical devices within one of 1,700 generic device types across 16 panels representing individual medical specialties. Devices are also classified into one of three classes based on the level of risk they pose to patients or users. FDA requires premarket approval and the submission of clinical data prior to the approval of Class III devices, which are of greatest risk.

In 2013, CDRH instituted a medical device cybersecurity team charged with assessing the cybersecurity of medical devices in collaboration with other government agencies and industry stakeholders. The team’s key partner has been the Cybersecurity and Infrastructure Security Agency (CISA), with which FDA signed a collaborative agreement in 2018.

In the eleven years since its inception, CDRH’s medical device cybersecurity team has issued 17 safety alerts and managed 13 medical device cybersecurity incidents. It also initiated 68 cybersecurity related recalls of medical devices.

Expanded Authority for Cyber Devices

Congress expanded FDA’s authority over cybersecurity in medical devices through the Consolidated Appropriations Act, 2023 (CAA).

The CAA specifies device classification, defining a cyber device “as a device that (1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”

The legislation also requires manufacturers of new cyber medical devices to provide FDA with details of their plans to identify, address, and monitor cybersecurity vulnerabilities and provide a software bill of materials, including commercial, open- source, and off-the-shelf software components for any new medical devices introduced after March 2023. The requirement is not retroactive and only applies to medical devices introduced before March 2023 if manufacturers are submitting new marketing applications for changes to a device.

To assist device manufacturers in negotiating the process, FDA released Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions in September 2023. The new, non-binding guidance on information to include in premarket submissions supersedes previous guidance from 2014 on cybersecurity in medical devices.

Defining and assessing threats

In addition to expanding FDA’s authority, the CAA also tasked the Government Accountability Office (GAO) with conducting a review of cybersecurity in medical devices.

In its report, released in December 2023, GAO noted that the U.S. Department of Health and Human Services (HHS) and the Healthcare and Public Health Sector Coordinating Council (HSCC) have previously found that “medical devices have not typically been exploited to disrupt clinical operations in hospitals.” However, HHS has also acknowledged that, given the potential for harm, the cybersecurity of medical devices “warrant[s] significant attention.”

Cybersecurity threats in medical devices can take one of two forms: those which could impact clinical operations, whether diagnostic or therapeutic, and those which could result in data breaches. Both can be costly. IBM Security estimates that the average data breach in the healthcare sector costs $10.93 million. The cost of delayed or inappropriate patient care is more difficult to calculate.

Inherent risks in Interconnectivity

Smart technology has made most of us familiar with the concept of the Internet of Things (IoT): the network of physical objects that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

The Internet of Medical Things (IoMT) is a specialized subset of IoT, focusing specifically on the application of connected devices in the field of healthcare and medicine. The IoMT encompasses a wide range of medical devices and applications that are connected to healthcare IT systems through online computer networks. These devices can range from wearable external medical devices like heart rate and activity monitors to internal devices like smart pills or advanced prosthetics.

The IoMT has the potential to revolutionize the way healthcare is delivered by enabling remote monitoring of patients, improving the accuracy of diagnoses and treatments, and enhancing the overall efficiency of healthcare systems. It also plays a crucial role in personalized medicine and patient-centered approaches to healthcare, in which treatments can be tailored to individual needs based on real-time data.

However, as FDA observes, what it calls the “blast radius” of any single device is expanded as it becomes interconnected with others. Through IoMT, a single compromised device has the potential to initiate a cascading effect of failure across an entire healthcare network.

Unfortunately, there are numerous opportunities for compromise.

In September 2022, the Federal Bureau of Investigation issued a private industry notification (PIN) warning that “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities.” The PIN noted that “53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities” and cited a private sector study which found that a remarkable “6.2 vulnerabilities per medical device.”

Achieving a Shared Responsibility

The International Medical Device Regulators Forum (IMDRF), of which FDA is a member, emphasizes that medical device manufacturers should incorporate security into the original product design and ensure its maintenance throughout the device’s total product life cycle. This entails designing devices under a secure development framework and the provision of support to product users throughout a specifically defined timeframe.

But the onus is not entirely on manufacturers. FDA views cybersecurity of medical devices as “a shared responsibility across the healthcare system, including healthcare facilities, providers, and manufacturers.”

To this end, the HSCC Cybersecurity Working Group serves as a platform for collaboration among stakeholders from both the private and public sectors. Its members include the Medical Device Manufacturers Association (MDMA), the American Hospital Association, and the American Medical Association, as well as CMS, FDA, the Centers for Disease Control and Prevention, and the U.S. Department of Defense. Their joint efforts are aimed at enhancing the cybersecurity of medical devices and healthcare IT systems.

The HSCC’s guidance is widely disseminated. Yet adherence to cybersecurity protocols is not always achieved.

While 83.95% of hospitals in a 2023 survey reported having email protection systems in place, only 55.61% reported practicing medical device security. User failure to update default configurations, such as factory settings and administrative passwords, can leave devices open to bad actors from the outset. In addition, research shows that even when alerted to vulnerabilities in devices, operators may not install patches or undertake software upgrades in a timely manner. Edgescan found that in 2022, the mean time to remediation (MTTR) of identified vulnerabilities in healthcare was 63 days. By contrast, MTTR for the retail sector in the same period was 55 days.

Legacy Devices

Legacy medical devices represent a distinct category of cybersecurity vulnerability. Although the term “legacy” might suggest outdated equipment, as defined by the IMDRF and used within the context of medical devices, it specifically refers to devices that are inherently unable to be safeguarded against contemporary cybersecurity threats. This vulnerability is often linked to the age of the device. However, it is important to note that even some newer devices fall under the IMDRF’s definition of “legacy” due to their security inadequacies.

The use of legacy devices in healthcare settings is neither illegal nor unusual. Budgetary pressures often force healthcare providers, especially rural or critical access hospitals, to continue to use a device after a designated end-of-life or end-of-service phase. At other times, there may not be reasonable alternatives available for purchase. Recognizing this, FDA contracted with MITRE to outline practical approaches and recommendations for the management of legacy devices. FDA released MITRE’s report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, in November 2023.

Opportunities for Improvement

While GAO generally commended FDA’s efforts to mitigate cybersecurity risks in medical devices, it pointed out a critical gap: an outdated partnership with CISA. GAO’s evaluation revealed that the existing collaborative framework lacks effective mechanisms for tracking progress and fails to incorporate defined performance indicators. Additionally, it has not been revised to account for pivotal changes within both agencies, including CISA’s reorganization and FDA’s initiation of a new information sharing protocol in 2020.

To address these issues, the GAO has advised the FDA and CISA to update their agreement for collaboration. Both parties have accepted the recommendation.

By improving coordination, the FDA and CISA aim to enhance their effectiveness in safeguarding the integrity of the healthcare system and protecting patient safety.

********

[1] When a product combines both drug(s) and device(s), CDRH’s Center for Drug Evaluation and Research (CDER) or the Center for Biologics Evaluation and Research (CBER) may review it.