Cyber hygiene for medical devices: What the FDA's new guidelines mean for providers | Viewpoint

Cyberattacks have long posed a major challenge to healthcare providers, but we’re now entering a new phase in the threat landscape where malicious actors are preparing to cause even more damage.

More threat actors, are targeting connected medical devices in order to disrupt patient care. (Image credit: ©samunella - stock.adobe.com

A growing number of threat actors, from cybercriminal gangs focused on ransomware to state-sponsored attackers, are targeting connected medical devices (known as the Internet of Medical Things, or IoMT) in order to disrupt patient care, steal information or gain persistent access to hospital networks.

These attacks are readily achievable due to the relatively poor state of foundational medical device security hygiene, which presents a simple vector for threat actors who can hold these devices for ransom and render them unusable, among other types of attacks.

The Food & Drug Administration (FDA) is responding to this threat with a new effort to boost the security of these devices so providers and their patients are better protected.

The FDA recently released new cybersecurity guidance for medical device makers that requires they provide a reasonable assurance that these devices are cybersecure, as well as post-market updates and security patches to keep these devices protected. This new guidance, which falls under the FD&C Act (Section 524B, “Ensuring Cybersecurity of Devices”), went into effect on March 29, 2023.

The FDA’s new guidance makes important changes to how medical devices are developed and maintained by their manufacturers, and it could certainly go a long way toward reducing the risks providers may face. However, it’s important for providers to recognize that this guidance – while a significant step in the right direction – does not address all of the risks associated with medical devices. There are several areas where providers will need to remain vigilant in order to protect their patients and maintain operational integrity.

Here are four key issues to keep in mind:

Legacy devices need not apply

The FDA’s new cybersecurity requirements only apply to new medical devices, which are submitted for premarket approval on or after March 29, 2023. This means existing, or older/legacy, devices are not required to meet these elevated standards.

There has been extensive research on the security limitations of IoMT devices, and in our own analysis we have found that many devices lack strong password policies (i.e., they may contain default or weak passwords), firmware is often several years out of date and may contain multiple high-risk vulnerabilities, lax settings and misconfigurations, among other problems. For example, Phosphorus Labs has observed that up to 90% of infusion pumps in active clinical settings are running with default passwords.

Security issues are likely to persist

Under these requirements, device makers will need to follow better development practices in order to build products that are more secure from the start. However, this doesn’t necessarily mean the device will be free from security problems.

To begin with, device manufacturers do not have complete control over their products, from a software development standpoint. Most of these devices utilize third-party software and firmware, and they may also include third-party hardware components as well. It is more difficult to ensure the security of a product when it relies on third-party code.

Additionally, even the most talented software development teams can still make mistakes, either by overlooking certain vulnerabilities or accidentally introducing them into the software/firmware design. Better development practices can reduce risks, but they can’t completely eliminate them.

Security patches take time to deliver

One of the most important new FDA requirements is that device makers must have a process in place to provide post-market security support to their products. This will go a long way toward reducing the risks with these devices.

That said, it will still take time for device makers to (a) discover new vulnerabilities and (b) develop patches to fix them. Lastly, the patches have to be (c) implemented on the device. This A to C process will likely take several months on average to complete – and in some cases, it could take significantly longer.

During this waiting period, threat actors that discover the same vulnerability can write or buy an exploit and begin carrying out attacks. This is what is known as a “zero day” attack – when hackers are able to exploit a vulnerability before a patch is available. The U.S. Department of Health and Human Services issued a warning about the growing risk of healthcare zero day attacks in 2021.

Healthcare providers may also run into additional problems in terms of keeping up with vulnerability announcements and patches. They could also struggle with determining who is responsible for implementing these updates, or implementing compensating controls by changing configurations on vulnerable devices while awaiting a patch from the manufacturer (Is it the vendor’s responsibility? The IT team? Facilities management?)

Monitoring not included

The new standards do not require manufacturers to monitor their products for signs of suspicious activity. Once a medical device is deployed in a healthcare environment, it is the provider’s responsibility – not the manufacturer’s – to make sure it does not become infected with malware or is otherwise compromised or accessed by an unauthorized user. Manufacturers do not have complete control over how devices are installed and operated in clinical settings.

This type of continual monitoring can be a daunting task for providers, due to the sheer number and diversity of these devices, which can range from patient health monitors to infusion pumps and MRI machines.

How to Ensure Robust Device Security

Overall, the FDA’s new security requirements are an important step forward in securing healthcare facilities from potential cyberattacks. However, providers must still remain vigilant to protect their medical devices from a variety of threats.

Healthcare providers are a lucrative target for cybercriminals, and an effective disruption target for U.S. adversaries, so these attacks will not scale down – they are only going to increase in frequency and complexity.

To better protect critical equipment, providers need to carry out several key security steps.

Inventory management & risk assessment

Accurate inventorying is vital. Providers must know exactly how many and which type of devices they have, where they are on the network, and what their security and risk status is (i.e., end-of-life or discontinued devices, password strength, firmware status/age, device configurations, etc.). This can be a complex task due to the sheer size and variety of devices on the network, so healthcare providers should look to third-party solutions.

Strong access & authentication controls

Make sure all devices use strong passwords and rotate/change them regularly. Restrict or disable remote access features. Devices should also have valid, up-to-date digital certificates.

Firmware management

Devices must be regularly updated and patched to address exploitable firmware vulnerabilities. Establish a scalable device lifecycle management framework tailored to your organizational needs.

Continuous monitoring & configuration management

Medical devices require continuous monitoring to check for “configuration drift” (i.e., changed device settings), new updates or security patches being made available, passwords changing back to factory defaults, devices being moved, etc. This requires a comprehensive security strategy.

Make security fundamental

Build a culture of security within the healthcare organization. This includes training staff on security awareness and incident response.

Sonu Shankar, vice president of Phosphorus, is a 15-year veteran of the cybersecurity industry, who has led efforts in software development, product management, threat detection and cybersecurity strategy at companies including Arctic Wolf and Cisco.