Acknowledging the urgency of addressing new cyber threats on medical and healthcare devices, the US Food and Drug Administration (FDA) issued a guidance document entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”
This document supersedes the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance, which was released nearly a decade ago.
An update on regulations for digital and connected healthcare devices has been a long time coming.
A lot has already changed in the world of computers and the internet. A wide range of devices has gained connectivity and smart functions, which provide advantages but also create new cyber-attack surfaces. Regulations need revisiting to keep up with the times.
It is worth pondering, though, if this guidance update is strong enough to deal with threats and attacks that ceaselessly become more sophisticated and aggressive.
Of course, nobody expects regulations to completely resolve threats, but they need to have some reasonable extent of efficacy.
The guidance document update
The FDA cybersecurity guidance update is mainly about the cybersecurity measures medical device makers have to adopt and what information to include in their premarket submissions to the FDA. The agency also clarifies many of the unclear aspects of the older guidance document.
Medical devices are not known to be built with cybersecurity as an essential consideration.
This is changing, as the FDA is now calling for all manufacturers to be conscious of the cyber threats that target their products. The agency provides recommendations on how to make medical devices resilient to cybersecurity attacks and maintain consistent cyber defenses.
One notable guideline in this FDA update pertains to leveraging data and code integrity. Manufacturers of smart or connected medical devices are advised to go beyond the usual security validation and risk management strategies.
The FDA calls for the validation of the integrity of all data coming from external sources, ensuring that the data is well-formed and per the specifications and protocols established for data handling.
This is a timely update in view of the growing prevalence of memory or buffer overflow vulnerabilities.
Medical devices, just like IoT and other low-resource devices, are prone to buffer overflow attacks, wherein threat actors feed data to an app or program (in the medical device) that is beyond its allocated capacity.
These attacks overwrite data onto adjacent memory blocks, which can cause the app to behave erratically.
Worse, they can introduce anomalous code and execute it within the device. The anomalous code can facilitate data theft or open access to IT systems.
On the other hand, the FDA recommends the use of host-based intrusion detection and prevention systems together with constant event and data logging to support better threat detection and incident response.
The agency emphasizes the fact that medical devices may not have their own full-fledged cybersecurity software because of their limited resources.
Using host-based intrusion detection systems (HIDS) and host-based intrusion prevention systems (HIPS) is a viable way to secure medical devices.
Cyber threats affecting medical devices
Here are some of the leading cyber threats that target medical systems and connected devices used in healthcare.
- Ransomware – The infection of malware designed to encrypt files that may only be decrypted once the victim pays the ransom is a major threat in the healthcare industry. As the FBI reports, ransomware attacks have hit healthcare more than any other critical sector.
- Software supply chain attacks – Attempts to corrupt software supply chains are quite common in the field of medicine and healthcare. The attacks on Shields Health Care Group and the Partnership HealthPlan of California provide clear reminders of the seriousness of the problem. Large healthcare institutions are not the only targets, though. Reports show that attackers are also training their sights on smaller hospitals and clinics.
- IoT/wearable/implant device vulnerabilities – IoT, including medical devices, present new cybersecurity challenges because of their low-resource and web-enabled nature and the complexities of configuring and maintaining them. In particular, they are associated with buffer overflow attacks, which are not only capable of altering device functions but also threatening patients’ lives. They can also be instrumental in exposing private data.
- State-sponsored attacks – The geopolitical conflicts in different parts of the world have resulted in concerted state-directed cyber attacks aimed not only at government organizations but also private organizations and individuals. These attacks are taking advantage of the relatively weak defenses of medical devices.
Is the FDA guidance update enough?
The FDA guidance update is a step in the right direction. It is particularly laudable that policymakers are showing a good grasp of the current threat landscape.
In particular, their cognizance of the role of device makers in boosting cybersecurity for the medical and healthcare industry amps up efforts to improve cybersecurity.
By obliging device makers to take steps to ensure product security and effectiveness in the pre-market and post-market stages, the FDA is significantly reducing the likelihood of vulnerable devices flooding the market.
It may mean added costs on the part of manufacturers, but it is a cost-efficient investment in cybersecurity and customer satisfaction in the long run.
The FDA’s mention of host-based intrusion detection and prevention systems is also notable, as it emphasizes the need for capabilities to detect and prevent attacks at runtime, which is a favorite strategy for threat actors that are exploiting vulnerabilities in medical devices and IoT.
No matter how fast device makers come up with security patches or firmware updates for their devices (in response to newly discovered vulnerabilities), they cannot eliminate the gap between the vulnerability discovery and the release and application of security patches.
This gap is enough for threat actors to launch attacks and inflict damage. A host-based intrusion and detection system affords real-time protection that can prevent or at least mitigate the impact of an attack.
With the growing popularity of cloud computing and the use of connected medical devices (and other IoT products), conventional cybersecurity is no longer enough.
On-premise and perimeter security solutions no longer work to address the kinds of threats hounding cloud and hybrid environments involving a multitude of devices.
Also worth noting, it is tedious and inefficient to apply security patches to numerous medical devices one by one.
In conclusion, it would be inexpedient to say that the FDA’s cybersecurity update is enough to address all the threats affecting medical devices.
However, it would be impudent to characterize it as insufficient. No regulation will ever be foolproof. What’s commendable about this new guidance document is that it mobilizes all affected parties or stakeholders to play a role in fending off cyber threats.
The FDA, by the way, also has a cybersecurity labeling program, which enables consumers to make informed choices with their medical device purchases.
The FDA is making wise decisions in making cybersecurity a shared responsibility among device makers, government agencies, healthcare providers, and consumers.
