Don’t wait for medical device cybersecurity legislation: Act now to save patients’ lives

Cyberattacks can cost lives — especially in the healthcare sector. Nearly a quarter of healthcare providers victimized by ransomware reported increased mortality rates following an attack, and 70% experienced longer hospital stays or procedure delays leading to poor patient outcomes. Congress is working to pass cybersecurity legislation, but the process is laborious. Consequently, healthcare systems must act to prevent security breaches and protect patients’ data.

More than two-thirds of healthcare providers are victims of cybercrime. In fact, according to the Department of Health and Human Services Office for Civil Rights statistics, an average of two healthcare data breaches occur each day, twice the rate of four years ago. Each breach is costing healthcare organizations an average of more than $10 million, based on IBM’s annual Cost of Data Breach Report. In 2021, attacks compromised 40 million people’s data, and since 2009, hackers have accessed data records representing 95% of the U.S. population.

In addition to stolen data and lost money, these breaches could mean the difference between life and death. While we hope to see more government action to protect healthcare data, health systems shouldn’t wait for this legislation to pass. They need to strengthen their own defenses now. A particular focus should be put on securing medical equipment.

Legislative movement on cybersecurity of medical devices

The US federal government is considering several proposals to regulate medical device cybersecurity compliance to counteract the frequent and clinically impactful cyberattacks experienced by healthcare systems across the country.

In April 2022, the FDA issued its highly anticipated draft guidance on medical device security for public comment. The document provides device manufacturers with guidance on how to approach cybersecurity for device design and associated premarket submissions. Under the policy, original equipment manufacturers (OEMs) must create procedures to verify and validate a connected device’s design for a reasonable assurance of safety and effectiveness. The FDA recommends OEMs establish a Secure Product Development Framework to reduce product vulnerabilities and implement medical device cybersecurity requirements. The framework encompasses all aspects of a product’s lifecycle, including development, release, support, and decommission.

The Senate is currently considering the Strengthening Cybersecurity for Medical Devices Act. The proposal requires the FDA to regularly update cybersecurity guidance, publish public information on improving medical device cybersecurity and resource access, and issue a report identifying challenges in cybersecurity for medical equipment, including legacy devices.

Under the Senate’s proposed Protecting and Transforming Cyber Health Care (PATCH) Act, OEMs would need to provide information on a connected medical device’s security before it goes to market. The requirements include disclosures of vulnerabilities and defined processes and procedures to make updates and patches available to the device throughout its lifecycle.

The House passed the Food and Drug Amendments of 2022, giving the FDA authority to require device manufacturers to include certain cybersecurity information in their premarket submissions, aligning with the recent FDA draft guidance. The Healthcare Cybersecurity Act is also under evaluation in the House. This legislation demands that the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services collaborate on improving cybersecurity measures in hospitals and other medical facilities and develop products specific to healthcare entities’ needs. The organizations must also provide cyber risk and mitigation training for healthcare personnel.

These proposals are steps in the right direction to better fortify medical devices against security breaches, but none are close to implementation. Faster action is needed.

How to take proactive steps for medical device cybersecurity compliance

To immediately protect patient health and data and prepare for future legislation, health systems should evaluate and address current risks and create an ongoing remediation strategy. A successful cybersecurity program necessitates collaboration between clinical engineering and IT teams and well-defined workflows.

Start by following the National Institute of Standards and Technology’s Cybersecurity Framework. The framework consists of five tenets:

• Identify: Identify a complete inventory of devices and software, cybersecurity policies, legal requirements, and vulnerabilities.
• Protect: Enable appropriate safeguards, including access control and identity management, staff training, and information protection policies.
• Detect: Define appropriate monitoring strategies to quickly identify cybersecurity events.
• Respond: Create an action plan to react to a breach.
• Recover: Develop a strategy to restore any capabilities or services affected by the incident.

Incorporating a medical device cybersecurity solution and instituting real-time threat monitoring helps keep health systems a step ahead of hackers (and future compliance requirements). Health systems can start identifying remediation priorities by creating a complete medical device inventory list with information on equipment’s core attributes, location, and current use. Using this data, device management teams evaluate a device’s cyber vulnerability, risk, and impact on patient safety to create a risk gauge.

Each health system will have its individual risk threshold and priorities, so remediation approaches will vary. That’s why each organization needs to identify a risk management strategy. Including technology in the medical device cybersecurity plan can improve threat monitoring by managing equipment inventory and identifying vulnerabilities for medical device teams to address.

Cyberattacks threaten patient lives and sensitive data and cost significant amounts of money. While attack preparation and prevention are not simple, they are imperative. Help will eventually arrive in the form of government regulations, but in the meantime, health systems must develop and implement their own cybersecurity strategy to protect their patients.