Medical device security continues to be casualty of hospital-medtech divide

The agency has recommended the use of “responsibility agreements” between manufacturers and healthcare organizations regarding devices that may be able to stay within acceptable performance specifications via servicing, but will pose increasing cybersecurity risks the longer they remain in use.  

However, Sensato CEO John Gomez believes there is a “misperception of responsibility” when it comes to device security that, fairly or not, places the burden squarely on the shoulders of hospitals, not device makers.  

“I’m not minimizing the responsibility of device manufacturers. But, ultimately, when that device comes within the four walls of the hospital, they have to realize they are responsible. Patient safety and security is the hospital’s responsibility,” said Gomez, whose company has an agreement with FDA to share medical device and healthcare cybersecurity vulnerability information with stakeholders.

Gomez believes manufacturers have “stepped up” in terms of providing patches for legacy devices, while MedCrypt’s Murthy contends most device makers are “trying to be good citizens” by putting out updates and providing information to hospitals on older medical devices that are still operating in the field.

However, hospitals are sometimes discouraged or even prohibited by manufacturers from doing the patches to devices themselves and for good reasons, said Erik Decker, chief information security officer at Intermountain Healthcare, during a virtual cybersecurity summit held last month by medtech BD. 

“You can’t just throw a patch on a device and assume that it’s going to fix the issue because that patch could actually cause harm,” Decker said. “It might not work properly or be quality checked. It could have its own consequences from a patient safety perspective.”

Robert Smigielski, cybersecurity engineer at medtech B. Braun Medical, doesn’t believe that healthcare organizations would know what to do with all the information on third-party software vulnerabilities, especially given the fact that hospitals must literally keep track of hundreds, if not thousands, of devices.

“We keep a handle on it. We’re the medical device manufacturer. We have to know if there’s an operating system that goes out of date. We plan for it — but, for the customer to know that?” Smigielski said. “We know that hospitals are out there running Windows 7 and they’re kind of stuck with it. So, how is this going to help them? There’s literally nothing they can do about it.”      

Intermountain’s Decker emphasizes that healthcare delivery organizations have their own responsibilities when it comes to device security.

“We implement the devices. We have to manage and maintain them while they are used in clinical settings. That is our obligation,” Decker said.  

While MedCrypt’s Murthy is sympathetic to the security demands weighing on hospitals, she believes that the burden shifts away from manufacturers when it comes to legacy devices that are no longer supported but continue to be used in healthcare facilities.

“If a hospital chooses to keep such an old device on the network well past when it should have been expired, they have to accept and understand the risk that comes with it,” Murthy said.

Mandatory lifetime support

Hospitals complain they are forced to secure legacy devices over their useful lifetimes, such as medical imaging equipment, which can last decades, while many mitigation measures — such as firewalls, network segmentation, and taking devices offline — do not completely resolve the security concerns and can potentially impact clinical workflows and patient care.

The finalized postmarket guidance on cybersecurity explains FDA’s present expectations for maintaining the security of deployed devices. However, currently, there is no statutory requirement (pre- or post-market) that expressly compels device manufacturers to address cybersecurity.

“One of the basic principles is security by design and providing the capability for the devices to be updated continuously. Lifetime support of the devices is another area that we’d like to see more manufacturers provide,” Riggi said.

FDA, in the HHS fiscal year 2021 congressional budget justification, said it is seeking to require that devices have the capability to be updated and patched in a timely manner.  

“Once the device is in their environment, hospitals need to know what security vulnerabilities are present and can be patched,” Riggi said.

Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technology Innovation at FDA, told MedTech Dive the agency shares a similar sentiment. CDRH is developing an overall framework for consistent communication of medical device vulnerabilities.

FDA wants to have a new postmarket authority to require that medtechs adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified. In particular, Schwartz called out the importance of medical device companies publicly disclosing when they learn of a cybersecurity vulnerability so users know when a device may be vulnerable and to provide direction to customers to reduce their risk.

BD’s Suárez says the company is committed to transparency when it comes to informing its customers and the industry about newly discovered vulnerabilities in its medical devices.   

BD earlier this year claimed to be the first medtech company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority, under a program sponsored by CISA, in an effort to make accurate and timely information available to their customers about its product vulnerabilities.

“You can’t protect what you don’t know. That’s why transparency is so essential for all of us in the ecosystem of medical technology … to truly understand what the issues are in these third-party components that are used in medical devices, assess the risk and then communicate that risk to customers,” Suárez said.

While there are some medtechs that already participate in coordinated vulnerability disclosures (CVD), FDA’s Schwartz contends it’s a small percentage of the medical device industry that currently does so as a best practice.

CVD, which is currently in FDA’s postmarket guidance, is a core principle for helping hospitals to “be better prepared and have the tools in place to address issues that arise,” according to Schwartz. However, Schwartz made the case that requiring CVD as part of additional legislative authorities will “level the playing field — right now it is more voluntary.”

This process of a voluntary approach between FDA and the manufacturers has not gone far enough, as it is discretionary for the device makers whether they should comply or not, Riggi argued. “It’s not binding. We’d like to see some of that guidance be made mandatory through regulation.”  

However, Zach Rothstein, AdvaMed’s vice president for technology and regulatory affairs, said the FDA guidance on post-market cybersecurity is binding for manufacturers, while maintaining that device companies and hospitals share responsibilities to keep medical devices secure over their useful lifetimes.

“This is an area [legacy devices] where AdvaMed and AHA would be more likely to be a bit more at different ends of the equation,” Rothstein acknowledged during BD’s virtual cybersecurity summit last month. “The legacy issue is complicated and it’s not something that anybody is happy exists today.”

Still, AHA makes the case that legacy devices have long been sold to hospitals by medtechs and there is little incentive for manufacturers to address the security of their installed base of products. That’s why the hospital lobby is pushing FDA to make it clear that security measures to protect legacy devices are required, not optional, and post-market cybersecurity is binding.

FDA’s recent Medical Safety Action Plan states that the agency plans to consider new pre-market authority requiring manufacturers to build capabilities to update and patch device security into product design, while providing a Software Bill of Materials that identifies the third-party components in a device so that end users can better manage the cyber risks. The agency’s plan also included consideration of new post-market authority to require manufacturers to adopt policies and procedures for coordinated disclosure of vulnerabilities when they are identified.

However, FDA has yet to implement these requirements for manufacturers as the cyber threats to legacy medical devices continue to grow.

AHA’s Riggi ultimately wants to see regulatory obligations for device makers in the same way that the auto industry is regulated.  

“Auto manufacturers are obligated to continuously provide support and correct potential safety and other defects in vehicles for the lifetime of that vehicle,” Riggi concludes. “There are regulations on the safety features included in motor vehicles. We don’t leave it to the auto industry at their own discretion to implement seat belts, airbags and recalls.”