Congress empowers the FDA to act on cyber threats in medical devices

by

Chris Harvey, senior vice president, Sedgwick brand protection, explains the findings of its report in medical device recalls. 

As medical devices become increasingly connected to the Internet and other digital networks, they also become more vulnerable to cyber-attacks. This poses a threat to the safety and privacy of patients. This heightened risk has become a major concern for the healthcare industry. Several high-profile incidents were reported in recent years affecting a range of devices including IV pumps, MRI machines and heart rate monitors.

Reasons for the rise in cybersecurity threats to medical devices

 There are several factors leading to the increased risk of cyber-attacks for medical devices:

  • Greater connectivity – The primary reason for the rise in cybersecurity threats to medical devices is their increasing connectivity. More and more often, medical devices are being designed to connect to the Internet and other digital networks. This improves patient care by allowing for remote monitoring, software updates, and other functions. However, this connectivity also makes devices more vulnerable to cyber-attacks. Hackers can exploit vulnerabilities in software or network connections to gain access to sensitive patient data or even take control of the device itself. In these cases, a recall can be particularly challenging because of the threat to patients’ lives and the need for continuous usage of the impacted medical device if there is not a suitable alternative. Manufacturers will face new risks as technology continues to advance.
  • Lack of security standards – As they are in many other sectors, medical device regulators are working hard to keep up with rapidly evolving technology. However, there are currently no uniform security standards across the industry. This makes it difficult for manufacturers to design devices that are secure by default, and it also makes it difficult for healthcare providers to evaluate the security of the devices they are using.
  • Legacy s – Many medical devices are built on legacy systems that were not designed with modern security standards in mind, mainly due to the lack of online connectivity. These systems may be especially vulnerable to cyber-attacks and are more challenging to update for modern cyber threats (as well as more expensive to retrofit), making it difficult for manufacturers to patch vulnerabilities or address other security concerns.
  • Lack of authority – Finally, there has been a lack of regulatory authority in the medical device industry. The U.S. Food and Drug Administration (FDA) did not have the power to enforce cybersecurity guidelines. While it had offered guidance, it was up to the device manufacturers to decide whether they wanted to heed those recommendations or not – and there were no penalties if they didn’t.

To help reduce this growing threat, the Consolidated Appropriations Act, 2023 (H.R. 2617) that was signed in December 2022 included provisions aimed at improving the cybersecurity of medical devices. The omnibus appropriations bill also gave the FDA the authority to establish and enforce cybersecurity standards for medical devices for the first time.

How the Consolidated Appropriations Act will help

In addition to giving the FDA more regulatory authority, the Consolidated Appropriations Act (the Act) includes several provisions to improve the cybersecurity of medical devices:

  • Strengthening security requirements for medical devices – Manufacturers will be required to implement security controls to prevent unauthorised access to devices, protect the confidentiality and integrity of patient data, and ensure the availability of devices in the event of a cyber-attack. They will also be required to submit a cybersecurity plan to the FDA for review in the premarket approval process.
  • Setting post-market responsibilities – Manufacturers’ plans must also detail their process and procedure to ensure that post-market software and firmware updates, as well as patches to their devices and related systems, are made available to consumers and other stakeholders as needed.
  • Improving transparency and accountability – Under the new rules, manufacturers must report cybersecurity incidents to the FDA and affected patients within a specific timeframe. They will also be required to provide updates on the status of remediation efforts and any actions taken to prevent similar incidents from occurring in the future. With recalls becoming increasingly public events due to agencies not being afraid to call out companies through their channels, these rules will address the need to keep patients informed. This also makes it all the more important for manufacturers to follow experts’ advice to establish recall plans that include how a manufacturer will respond to a product-related crisis and how they will communicate with customers. To prepare, manufacturers should also prioritise mock recall exercises as part of their risk management protocols.
  • Promoting collaboration and information sharing – The legislation includes provisions to promote collaboration and information sharing among manufacturers, healthcare providers, and the FDA. The FDA will be required to establish a public-private partnership to promote cybersecurity in the medical device industry.
  • Establishing a cybersecurity centre of excellence – One of the key provisions of the legislation establishes a Cybersecurity Centre of Excellence within the FDA. This centre will coordinate efforts to improve the cybersecurity of medical devices. The Centre’s responsibilities will include developing and implementing cybersecurity standards and best practices, evaluating the security of devices, and providing guidance to manufacturers and healthcare providers. While manufacturers may face increased oversight as a result, the dedicated office will provide some clarity around how U.S. regulators will address cybersecurity concerns in the medical device industry.

The impact on medical device recalls

Medical device recalls are also impacted by the new Consolidated Appropriations Act. The Act requires medical device manufacturers to include cybersecurity information in their recall reports to the FDA. This information will help the FDA and healthcare providers better understand the cybersecurity risks associated with recalled medical devices.

In addition, the FDA must provide guidance to medical device manufacturers on how to conduct cybersecurity-focused post-market reviews of medical devices. This guidance will help manufacturers identify and address cybersecurity vulnerabilities in devices that are already on the market. By addressing these vulnerabilities, manufacturers can reduce the risk of future recalls due to cybersecurity issues.

The FDA is also required to establish a pilot program to assess the effectiveness of medical device cybersecurity vulnerability reporting. This program will provide the FDA with valuable data on cybersecurity risks and help the agency identify areas where additional measures may be needed.

Overall, the provisions included in the new Act will have a significant impact on medical device security and product recalls, as well as on patient safety. By requiring manufacturers to include cybersecurity information in recall reports, providing guidance on post-market reviews, and establishing a pilot program to assess the effectiveness of vulnerability reporting, the legislation will help reduce the risk of recalls due to cybersecurity issues.

This will not only benefit patients but will also help to reduce the financial and reputational risk to manufacturers that often results from product recalls.