Cybersecurity in healthcare products will no longer be an afterthought in the US.
From October 1, 2023, every new medical device with known vulnerabilities or that lacks a secure design will be rejected by the US Food and Drug Administration (FDA) and not allowed to be sold on the US market.
Healthcare manufacturers seeking approval for new medical devices will have to comply with a list of new requirements.
First Consumer SBOM Mandate Worldwide
First, applicants will also need to outline a process to provide “reasonable assurance” that the device in question is protected with regular security updates and patches, including for critical situations.
Then, they will be expected to provide the FDA with a software bill of materials (SBOM), which should include commercial, open-source and off-the-shelf software components.
Speaking to Infosecurity during the Mandiant mWISE conference in Washington, DC, Taylor Lehmann, director of the Office of the CISO at Google Cloud, said this was “the first time an SBOM was required by law outside of government agencies mandates.”
Finally, healthcare providers will have to submit a plan designed to “monitor, identify and address” possible cybersecurity issues associated with them even after the device has been approved by the FDA.
“This last requirement also marks a shift in how we treat cybersecurity in healthcare. Prior to this, once a device was approved, even when later found vulnerable, it would not be taken out of the market. This time, it could,” said Lehmann, who was chief security officer at Tufts Medicine and Athenahealth before joining Google.
Not all medical devices will be subject to these new rules. To be considered a “cyber device” that falls under the new cybersecurity rules, medical devices must be able to connect to the internet, include some form of software and contain technology that could be vulnerable to a cybersecurity threat.
This means that an air-gapped device used in a hospital will not fall under the new legislation, but consumer health devices like smartwatches will.
End of the Grace Period
This first-of-its-kind federal mandate emanates from a guidance document, called the Refuse to Accept Policy for Cyber Devices and Related Systems, which was introduced in December 2022 as part of the $1.7trn Consolidated Appropriations Act, 2023 (aka Omnibus), signed by President Joe Biden.
Read more: FDA Protects Medical Devices Against Cyber-Threats With New Measures
The Omnibus bill amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices, which requires the FDA to implement the Refuse to Accept policy.
The updated FD&C Act took effect on March 29, 2023, but a six-month grace period was granted to healthcare manufacturers, during which the FDA did not enforce the Refuse to Accept policy.
This will end on October 1.
Game-Changing for Hospital CISOs
Lehman stated that these new requirements are game-changing for the healthcare industry, especially for hospital CISOs.
“Most health system networks today run unregulated devices in terms of security,” he said.
In 2022, the FBI found that over 50% of internet-connected medical devices in hospitals had cybersecurity vulnerabilities, and about 40% of devices at the end-of-life stage had few or no security patches.
Furthermore, cyber-attacks targeting hospitals have been rife over the past few years, with almost 89% of these institutions falling victim to at least one cyber-attack between 2021 and 2022, according to a study led by the Ponemon Institute.
“I think, and hope, that other countries will follow suit and roll out similar legal requirements enhancing the cybersecurity posture of our healthcare systems. Thankfully, in healthcare, most countries in the world tend to agree on the same standards without too much debate,” Lehmann concluded.