FDA Bans Sale of IoMT Devices That Fail Cybersecurity Requirements

Picture this. You’re at the hospital, hooked up to a medical device meant to help you. Or you’re walking around with this device planted inside you as you go about your day. But little do you know that hackers could potentially access your personal health information stored in that device or maybe even take control of that device altogether. Scary, right?

Sadly, it’s not just a hypothetical situation. Major MedTech companies like BD, Insulet, and Zoll Medical have already reported cybersecurity vulnerabilities in their devices that could compromise sensitive data or patient outcomes.

This is primarily a case of security needing to catch up with technology. Internet-connected medical devices, often called Internet of Medical Things (IoMT), have become a common feature of the healthcare landscape over recent years and provided many benefits. For example, these devices enable proactive healthcare, leading to better patient outcomes and cost savings while empowering patients to receive care at home.

Still, while the capabilities of these devices are rapidly advancing, their security continues to lag. The situation presents new challenges for MedTech companies and Internet of Things (IoT) security professionals.

Now, the Food and Drug Administration (FDA) is stepping in to ensure that medical devices meet specific cybersecurity guidelines. But what exactly are these new rules? And just how dangerous of a situation is medical device hacking? Let’s get into it.

Strengthening Medical Device Cybersecurity: FDA’s New Guidelines

The FDA has issued new cybersecurity guidelines for medical devices in response to growing concerns about cyber threats to internet-connected products used in healthcare settings. These guidelines are part of the $1.7 trillion federal omnibus spending bill signed by President Joe Biden in December.

Under the new requirements, all new medical device applicants must submit a plan on how they will monitor, identify, and address cybersecurity issues and provide “reasonable assurance” that their devices are protected. They must also make security updates and patches available on a regular schedule, including for critical situations. Additionally, applicants need to provide a “software bill of materials” that lists all the software components used in their devices, including open-source software.

These requirements are aimed at preventing breaches by ensuring that medical device makers have plans in place to address cybersecurity vulnerabilities and quickly roll out updates to mitigate risks. The FDA will begin enforcing these requirements on October 1, 2023, to allow device makers sufficient time to comply.

The new law also mandates that the FDA work with the US Cybersecurity and Infrastructure Security Agency (CISA) to update its existing guidance on cybersecurity in medical devices within two years and periodically update it after that. The FDA must also update its online resources within six months of the bill’s enactment to provide up-to-date information on how healthcare providers and device makers can identify and address vulnerabilities and work with federal agencies to strengthen device security.

Additionally, the US Comptroller General has one year to develop a report identifying challenges in cybersecurity for devices and providing suggestions for how government agencies can help minimize these challenges for manufacturers, healthcare providers, and patients.

What IoMT Devices Are Vulnerable to Cyber-Attacks?

One example that highlights the vulnerability of medical devices to cyber attacks is the case of former Vice President Dick Cheney’s heart defibrillator. In 2007, cautious doctors replaced Cheney’s defibrillator and modified it to disable the wireless feature to prevent potential terrorists from sending a signal to the device and causing harm. This incident highlighted the serious risks associated with internet-connected medical devices, as hackers could potentially gain unauthorized access and manipulate the device’s settings, leading to life-threatening consequences.

Other IoMT devices, such as insulin pumps and infusion pumps, are also vulnerable to cyber-attacks. These devices often have wireless connectivity to allow for remote monitoring and adjustments, but this can also create potential entry points for hackers to exploit. For example, a cyber attacker could potentially hack into an insulin pump and administer an incorrect dosage, leading to dangerous fluctuations in blood sugar levels.

The reasons why IoMT devices are vulnerable to cyber-attacks are multifaceted. Many medical devices use outdated or legacy software systems that may not have the latest security patches or updates, making them susceptible to known vulnerabilities. Additionally, manufacturers may prioritize functionality and ease of use over security measures, resulting in inadequate protection against cyber threats.

Moreover, the rapid pace of technological advancements in the healthcare industry can outpace the development of robust cybersecurity measures, leaving IoMT devices vulnerable to emerging threats.

Embracing a Security Mindset

These new FDA rules will give MedTech companies the push to adopt a security-centric mindset. However, that’s not to say that MedTech companies have been burying their head in the sand when it comes to IoT security. In a Deloitte study into the top priorities of medical technology companies, cyber readiness ranked joint-top, beating research and development and global markets.

MedTech companies will likely start implementing robust authentication protocols and stringent access controls across all IoMT devices to ensure patient data can’t fall into the wrong hands. Similarly, strong data encryption is crucial for protecting patient information and preventing unauthorized access. All data transmitted between IoMT devices, as well as data stored on the devices or in the cloud, should be encrypted using robust encryption algorithms.

Regular security audits to identify and address any potential vulnerabilities in IoMT devices will also become far more common. This can include penetration testing, vulnerability scanning, and code reviews to identify and fix potential security flaws.

Lastly, regular updates and patches (as outlined by the FDA) will become the new norm. Essentially, MedTech companies will regularly update medical devices with the latest security patches and firmware updates. This helps to address known vulnerabilities and protect against known exploits.