The Food and Drug Administration should implement policies that impose cybersecurity requirements on medical device manufacturers to make devices more secure while making it easier for healthcare entities to secure the medical device ecosystem.
Daniel Bardenstein, head of technology and cyber strategy for the Cybersecurity and Infrastructure Security Agency (CISA), presented his proposal during an Aspen Institute fellowship presentation on February 2.
During his tenure as the cybersecurity lead of Operation Warp Speed, the federal government’s COVID-19 vaccination initiative, Bardenstein saw firsthand “the appalling state of security in our system. healthcare, in particular in smart or connected medical devices”.
The discovery prompted Bardenstein to focus on his fellowship at the Aspen Institute: What policy levers should the government put in place to better secure medical devices?
The FDA is tasked with regulating the cybersecurity of medical devices, releasing a Cybersecurity Handbook for Medical Devices in 2018. The guidelines have helped manufacturers and developers disclose vulnerabilities, while educating vendors on best practices.
However, long-standing issues remain. Healthcare industry leaders have long been critical of the current state of medical device security, knowing that the complexity of the device ecosystem, inventory issues, and supplier or manufacturer control issues make it difficult to securing these highly vulnerable devices.
As reported at the Defcon Biohacking Village over the summer, the FDA, manufacturers, and hospitals are all struggling to keep pace with the moving of the needle on device safety. The consensus is that most vendors are forced to simply live with some degree of risk.
Bardenstein’s proposal would take the fight directly to the FDA, urging the agency to require medical device makers to implement basic cyber protections on all their devices and require those vendors to make it easier for hospitals to secure their devices. and other suppliers.
Establish a “cyber baseline” for device manufacturers
In the United States alone, there are an estimated 15 million connected devices, or approximately 20,000 medical devices per hospital. These numbers are expected to continue to increase rapidly over the next 10 years. This also includes devices used by patients and remote care providers outside of the hospital setting.
While medical devices have dramatically improved remote care, Bardenstein pointed out that up to half of these devices “are trivially easy to hack by a malicious hacker.” And in many cases, the lives of patients depend on these devices.
“When we talk about securing medical devices, we are really talking about securing patients and saving lives,” Bardenstein said.
“So why are medical devices so insecure? As stakeholders regularly note, most were not designed with security in mind. But many legacy devices continue to work as expected, so most vendors don’t consider replacing these tools with newer, more secure options.
That’s where the FDA should step in: with the development of a cyberbase to create mandatory protections for all medical devices, he explained. The policy would mirror that of the common safety features required in the automotive industry.
As noted, the current FDA cybersecurity guidelines were finalized four years ago and where manufacturers get the necessary information and requirements for device cybersecurity. But Bardenstein argues it is now “slightly outdated” and “contains non-binding recommendations with considerable ambiguity”.
In short, “manufacturers don’t know exactly what is actually needed for their devices to gain FDA approval,” he explained. “The interpretation is up to manufacturers in terms of what things they actually need to implement in their medical devices and how they implement those safety features in medical devices.”
Bardenstein’s proposal developed a baseline of cybersecurity protections that the FDA should include in its upcoming guidance, which could create clear requirements, specific where appropriate, “to make it easier for everyone to s ‘based on the same standards’.
The standards include new, modern safeguards that were not included in previous FDA guidelines.
Device query interface
The FDA should also require manufacturers to build a security feature into their devices that Bardenstein called a “device query interface,” which will make it easier for hospitals to secure those devices. Specifically, it would allow hospital security officials to “go under the hood and find out if the device is working or secure.”
As stated earlier, most vendor organizations find it extremely difficult to perform repairs or examine the functionality of the device, as this could void the vendor’s contract. As Bardenstein put it, many critical safety features built into products from other industries are “largely absent from today’s medical device landscape.”
Bardenstein proposes that hospitals be able to physically examine the device to determine health or condition, including whether it is vulnerable to cyberattacks. As it stands, device checks are done using tools that “effectively blast a medical device with very many requests, asking about health status, are you vulnerable, what software is running, etc.”
The problem is that these devices are very fragile and “this amount of traffic can easily overwhelm medical devices and can essentially cause them to fail.” And if a patient is connected to this device on the other side, it could impact their safety.
As a result, many hospitals are unable to implement this basic cybersecurity practice of “going under the hood,” creating security blind spots. And even without these checks, devices are still working on the network, even with known or unknown issues or vulnerabilities.
Bardenstein’s proposal for a device request interface would meet this challenge. Calling it a “very light” feature, it could be built into medical devices and reduce that risk.
“I like to think of it like a digital concierge in a hotel,” he explained. For example, instead of knocking on every door to find your friend staying at a hotel, there’s a concierge up front “where you can ask a question and get an answer very quickly.”
For Bardenstein, the interface could minimize the risk of device and even patient malfunctions, allowing hospitals to have greater visibility into device security, operation and vulnerability to prevent cyberattacks.
“Now is a fantastic and urgent time for the FDA to act,” Bardenstein said. As the agency works on updating its guidelines, due later this year, the hope is “that they look at those specific proposals and incorporate them into these guidelines.” Ultimately, the more secure medical devices are, the more successfully healthcare can prevent or mitigate attacks.
“Hospitals under attack can lead to delays in care, which can ultimately lead to patient deaths or other patient safety impacts,” he continued. “As medical devices continue to proliferate, the FDA has an opportunity to establish and maintain patient trust.”