As the risk of cyberattacks on medical devices continues to mount, the Food and Drug Administration isn’t doing enough to ensure device makers include adequate security in their products, experts say.
They charge that part of the problem is that the agency lacks the funds and the trained personnel to evaluate the cyber risk the devices carry and enforce the rules it does have on the books for approving devices.
“I’ve spoken to device manufacturers, specifically product security people at device manufacturers, saying that they've been telling their organizations for the last year or two that they need to include cybersecurity as part of their submissions or else they're going to get rejected,” said Mike Kijewski, CEO of medical device cybersecurity firm MedCrypt. “Yet for some of their recent submissions, they didn't have a lot of cybersecurity documentation and they still got accepted by the FDA.”
Christopher Gates, director of product security for medical device engineering firm Velentium, shared similar concerns about consistency from the FDA on the issue.
“I've seen stuff get approved that was for surgical theater use that had no mention of cybersecurity in it, nothing about mitigations,” Gates said.
Cyberattacks remain a significant risk for healthcare companies. Patient safety group ECRI reported 173 medical device cybersecurity alerts in the past five years. The organization warned that cybersecurity incidents don’t just disrupt business operations, but can “pose a real threat of physical harm.” For instance, ransomware attacks on hospitals can cause device outages that disrupt patient care, and at worst, put lives at risk.
The FDA released draft guidance in April that details what cybersecurity information device manufacturers should include when applying to have devices and the software that runs them approved by the agency, and the U.S. House of Representatives passed a bill that would codify the FDA’s authority to implement cybersecurity requirements.
In addition, the FDA is seeing a “continued increase” in the number of devices that include software functionality, or some degree of connectivity, FDA spokesperson Jeremy Kahn wrote in an email. The agency declined to say how many devices would need to submit cybersecurity information as part of the pre-market review process, but noted, “as a result of these trends, we expect that the majority of submissions will require a cybersecurity assessment.”
The problem is not that the FDA’s cybersecurity guidance is lacking, but that device manufacturers see the guidance as optional, and the agency is letting devices without adequate cybersecurity protection get through its approval process, Kijewski said.
Still, the new guidance is more detailed and more robust than the agency’s last draft in 2018, Kijewski added.
It focuses on maintaining cybersecurity throughout the life of a medical device, and requires a “software bill of materials,” effectively a list of software components in a device, he said.
The new guidance also differs from the previous draft in that it no longer classifies devices by cybersecurity risk, a change from the previous draft guidance, intended to “encourage all manufacturers to appropriately consider cybersecurity risks,” Matthew Hazelett, a cybersecurity policy analyst for the Center for Devices and Radiological Health, said in a June webinar.
Meanwhile, device manufacturers and at least one major trade group argue the FDA’s current rules are too restrictive and should be phased in gradually.
In submitted comments, Philips Healthcare raised concerns that the amount of information and level of detail is not appropriate for all types and risk classes of devices, urging the agency to “reconsider the breadth and depth of information being requested in premarket submissions.”
Trade group AdvaMed also wrote in July 10 comments that cybersecurity requirements should be risk-based, and that the FDA should provide a two-year implementation timeline.
Velentium’s Gates said he would prefer that the new guidance be aligned with other standards, such as those developed by the International Organization for Standardization, which are used by several countries as the basis for their quality management systems. Separate from its cybersecurity guidance, the FDA is adopting ISO 13485 to bring U.S. manufacturing guidelines in line with international standards.
“As you interpret these concepts, not necessarily their iteration of how to achieve them, they're actually pretty good concepts,” Gates said, adding that the FDA is “woefully underfunded” for cybersecurity.
A tight labor market
The FDA is asking Congress for about $5.5 million in 2023 to develop a cybersecurity program for devices, including hiring additional staff.
Currently, the FDA has just three people fully dedicated to medical device cybersecurity. While there are other staff members who support its work on cybersecurity, they have other responsibilities within the medical device portfolio, according to the agency.
“FDA has stated its critical need for additional resources to further advance its work on medical device cybersecurity through budget appropriations requests,” FDA’s Kahn wrote.
The most likely use of the funds, Gates said, could be training staff to be more consistent in pre-market review. For instance, cybersecurity requirements could be added to a checklist, and if companies don’t meet them, the agency could refuse to accept the device for review.
The FDA could also use the funds to provide training for field investigators. Gates said the $5 million is not likely going to give the agency enough staff.
“IT cybersecurity folks are going at a real premium, embedded cybersecurity folks, even better,” Gates added. “To go out and hire these people directly and compete with private industry, they don't have the salary for that.”
Even in private industry, at medical device companies, hiring has been slow. While the top 15 medtech firms outpaced the national average in tech hiring growth between 2021 and 2022 year-to-date, they lagged in hiring for cybersecurity positions, according to an analysis of job postings by IT trade association CompTIA.
The reason for this is unclear, Tim Herbert, CompTIA’s chief research officer, wrote in an emailed statement. It could be because medtech firms are prioritizing hiring in other tech areas such as software development and data science, or they could be opting to outsource more of the work to dedicated cybersecurity experts.
“Because it is such a tight labor market for cybersecurity talent it may be a situation where medtech firms are finding it challenging to compete with all the other employers in the market for scarce talent, and they may be pursuing more of an internal talent development strategy by upskilling and reskilling existing staff,” Herbert wrote.
In the meantime, legislation is going through Congress that would also add some “teeth” to the FDA’s requirements. The House included cybersecurity requirements that manufacturers must meet during the premarket approval process as part of legislation to reauthorize the FDA’s user fee programs. The Senate has yet to pass a version of the user fee bill.