Author: Paulina Andrews

Cybersecurity in Medical Devices: The FDA Passes New Guidance

By Paulina Andrews

Few cybersecurity attacks on hospitals involve reading a newspaper through an IV bag because hackers removed physician access to the CT machines, but ransomware and cyber-attacks can have terrifying consequences. In a January 2018 ransomware attack on Indiana hospitals, one hospital paid the hackers in Bitcoin to regain access to its systems. Days later, an attack on Allscripts, an electronic health record company, resulted in over 64,000 hospitals, ambulatory facilities, and other healthcare organizations losing access to patient records and the ability to prescribe medications. Attacks on internet medical devices, such as pacemakers and insulin pumps, and on hospital monitoring and administering systems of this magnitude are rare, but smaller-scale attacks are more common. These devices are connected to the hospital’s internet, causing one infected device to carry the virus to the entire hospital, or worse, the entire network.

Medical devices tend to have weak security, which hackers take advantage of to access hospital systems. Hackers then steal the Social Security numbers of patients or lock physicians out of medical records to ransom system access, making physicians unable to prescribe medicine or monitor  patients’ conditions. On September 27, 2023, the Food and Drug Administration (“FDA”) issued guidance stating that these “[c]ybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally.” In a research report cited by the Federal Bureau of Investigation (“FBI”), the FBI reiterated that “[fifty-three percent] of connected medical devices and other internet of things [“IoT”] devices in hospitals had known critical vulnerabilities.”

In December 2022, President Joe Biden signed the U.S. Omnibus Bill (“Bill”), also known as the Consolidated Appropriations Act of 2023, in part amending the Federal Food, Drug, and Cosmetic (“FD&C”) Act. The Bill added Section 524B to the FD&C Act to “Ensure Cybersecurity of Devices” by providing standards for medical device companies and manufacturers. The FDA was previously criticized by the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) for failing to address cybersecurity risks that medical devices pose. With the growth of technology and the internet outdating the FDA’s 2005 guidance on Cybersecurity for Networked Medical Devices, the FDA will now be required to update its Cybersecurity in Medical Devices industry guidance every two years. The goal of this guidance is to modernize healthcare and prevent cybersecurity incidents.

The FDA, responsible for approving medical devices in the United States, now has explicit statutory authority to regulate the cybersecurity of medical devices. Medical device companies will have to meet, among other requirements, certain safety certifications and assess risk management. The guidance recommends these companies follow a Secure Product Development Framework (“SPDF”): “a set of processes that help identify and reduce the number and severity of vulnerabilities” in pre-market medical devices and “encompass[e] all aspects of a product’s lifecycle, including design, development, release, support, and decommission.” Medical device companies and manufacturers will be required to perform frequent post-market software updates as needed to remain secure. Along with cybersecurity guidance documents, the FDA has released videos to help healthcare facilities develop emergency preparedness plans for cybersecurity attacks or other incidents.

The pre-market obligations the FDA is imposing on medical device companies and manufacturers will require these manufacturers to change their pre- and post-market operations to obtain approval and/or remain compliant. These manufacturers will be required to alter both their products and their quality management systems to create and maintain secure medical devices. Additional security updates may slow down a device’s operating ability or cause devices to quickly become obsolete, possibly resulting in patients being unable to use devices effectively or afford a frequent turnover of devices. While technology is evolving and hackers are continuously developing more advanced tactics, and while too much security can harm a system more than help it, the two-year cycle on guidance updates will ensure that FDA guidance and medical security measures are modern.