Getty Images/iStockphoto
Experts Weigh in on Medical Device Security Exit from FDA User Fee Bill
Experts see the exclusion of medical device security from the FDA user fee reauthorization bill as a missed opportunity, but there is still optimism for future efforts.
An appropriations bill that will reauthorize US Food and Drug Administration (FDA) user fees is advancing without key medical device security provisions included in the House bill, which passed with overwhelming support in June.
The updated bill’s passage will keep the FDA funded past September 30, when the five-year user fee authorization was previously set to expire. User fee programs allow the FDA to collect fees from companies that produce products such as drugs and medical devices in order to supplement annual funding from Congress.
But due to legislative compromises and looming deadlines, the final bill is significantly slimmer, omitting legislative priorities like medical device security that were included in the House bill.
Specifically, the House bill put additional responsibilities on medical device manufacturers to assess cybersecurity at the premarket stage and included software bill of materials (SBOM) requirements. The bill contained language much like that used in the Protecting and Transforming Cyber Health Care (PATCH) Act, which was introduced in March.
The exclusion of medical device security from the bill does not mean that the FDA and legislators will not continue to push for medical device security via the PATCH Act and other avenues.
However, for many experts, the exclusion is still a source of frustration, and its initial inclusion symbolized hope for many who have been hoping to see medical device security considerations signed into law for years.
Missed Opportunity For Medical Device Security
"If risky medical devices are not identified and secured, the goal of this bill to 'ensure that patients and providers can continue to benefit from the development of life-saving and life-changing technologies' will be in jeopardy,” Melissa Trace, VP of global government at Forescout, told HealthITSecurity.
Trace pointed to the Federal Bureau of Investigation’s (FBI) recently released notice outlining the risks associated with unpatched and legacy medical devices. The FBI has observed a recent uptick in medical device vulnerabilities, which could cause operational disruptions, data breaches, and risks to patient safety if exploited.
“These assets can and will be exploited by bad actors to cause disruptions in patient safety, release confidential and personal data, and impact operations at medical facilities,” Trace continued.
Trace expressed hope that medical device security considerations would be “recognized and revisited.”
To Joshua Corman, VP of cyber safety strategy at Claroty, the passage symbolized a lost chance to enhance medical device security.
"Hospitals were in favor of the PATCH Act. With increased attacks on healthcare - and increasingly grave consequences, it is a missed opportunity for leadership,” Corman said.
“The status quo isn’t keeping pace with these growing harms. I’m hopeful that the coming White House strategy and other pushes for necessary change are more successful at meeting the moment."
Continued Push For Transparency, SBOMs
SBOMs provide a list of all software components in a given device, enabling transparency by allowing device manufacturers, buyers, and operators to identify and mitigate vulnerabilities and manage medical device security more efficiently.
Experts have long pointed to SBOMs as a way to increase the security of medical devices, and SBOM language was used in the user fee bill as well as the PATCH Act.
For Thomas Pace, CEO of XIoT cybersecurity firm, NetRise and former head of cybersecurity for the Department of Energy (DoE), the exclusion of medical device security was surprising and symbolized a “deviation” from the progress that the industry has made.
Pace also stressed the importance of SBOMs, especially now that so many medical devices are connected to the internet.
“Medical devices used to be viewed as this mystical black boxes that were very challenging to gain insight, visibility, and risk identification into, and that's just not true anymore,” Pace said.
Pace suggested that the prevalence of internet-connected devices requires an updated approach to security.
“Given increasing connectivity and threats, healthcare delivery organizations need confidence in the security of medical devices, which also requires transparency into their software bill of materials,” explained Grant Geyer, chief product officer at Claroty.
“While the removal of language from legislation that would enhance the security of medical devices is a missed opportunity in the short term, we have conviction that security and transparency is the direction the manufacturing industry is still heading.”
Transparency is crucial, Geyer emphasized, “whether the connected devices are in support of patient care, part of an autonomous car, or helping to deliver clean drinking water.”
Healthcare Must Act Now
Greg Murphy, CEO and President of Ordr, acknowledged that it was disappointing that the medical device security language was removed from the final bill.
“That also highlights the main issue here - healthcare facilities cannot just resign themselves to wait for government regulations to be put in place,” Murphy suggested.
“Even if regulations passed today, it would take years to have a real impact on healthcare facilities, and there would still be challenges with legacy devices already deployed in the network.”
Medical devices can remain in operation for upwards of 10 years, and most hospitals have thousands of devices on their networks at any given time. Additional transparency and SBOM requirements baked into legislation would go a long way to ease the burden on healthcare organizations.
But Murphy also suggested that healthcare organizations take security matters into their own hands as they await helpful legislation.
“They should secure their medical devices starting with a full asset inventory of what’s actually in their network, identify and address vulnerabilities associated with them, and then look at segmenting devices that cannot be patched,” Murphy reasoned.
“Insecure devices open the door to attacks that can impact patient care."
Although it is a daunting task, especially for organizations with limited resources, there are free tools and resources available to help the sector mitigate risk.
For example, the Health Sector Coordinating Council (HSCC) maintains its Joint Security Plan (JSP), which serves as a product lifecycle reference guide to developing, deploying, and supporting secure medical devices and health IT products and solutions. Additionally, the FDA’s Center for Devices and Radiological Health released best practices for communicating medical device vulnerabilities to patients and caregivers.