Internet-connected medical devices have transformed healthcare, but not without introducing significant risks. After years of lobbying, changes to medical device cybersecurity standards are finally coming as part of the Consolidated Appropriations Act. The omnibus spending bill includes language requiring medical device manufacturers to ensure that their devices meet specific cybersecurity requirements. This article looks at the proposed changes and how they could trickle down to include other wearable devices and applications in the future.
The State of Medical Device Security
Over the past few years, politicians and healthcare leaders have pushed for further guidance and regulations surrounding medical device security. Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and could pose security risks.
It’s no secret that cybercriminals frequently target medical devices. Capterra recently surveyed 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the internet were experiencing more cyberattacks. They found that medical practices with a higher percentage of connected medical devices experienced more cyberattacks than those with a low percentage of connected medical devices.
Ongoing struggles with securing and keeping track of medical devices, the industry’s reliance on legacy systems, and increased federal cybersecurity focus prompted legislative action.
Proposed Changes to Medical Device Security Standards
Once enacted, the omnibus bill would require device manufacturers to “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”
Additionally, manufacturers must design and develop processes to ensure that their devices and related systems are secure, including post-market updates and patches. These updates will take effect 90 days after the bill is signed.
The bill would also require manufacturers to provide a software bill of materials (SBOM) to the Secretary detailing the software’s off-the-shelf, open-source, and commercial components. CISA defines a software bill of materials as “a nested inventory, a list of ingredients that make up software components.” SBOMs have grown in popularity because they make it easier to know if a specific threat impacts your software. For instance, one of the reasons that the log4j attack was so threatening was that log4j is widely used in various consumer and enterprise services, websites, and applications to log security and performance information. An average software user had no way of knowing if their services used log4j, putting them at risk of a breach. Having a SBOM makes it easy to know if the exploit threatens your software.
Finally, the omnibus bill would also require the Food and Drug Administration to issue further guidance on improving the cybersecurity of medical devices. The Government Accountability Office (GAO) would also be expected to release a report within the next year to identify remaining challenges surrounding device security. This bill represents only the first step in improving the security and regulations for medical devices.
The Future of Medical Devices and the Internet of Medical Things (IoMT)
These improvements are necessary considering the recent popularity of personal medical devices. Though the proposed regulations do not necessarily apply to fitness trackers and smartwatches, it’s easy to imagine a future in which medical providers use similar devices to record and transmit patient data to electronic health records.
As smartwatches, remote patient monitoring tools, and other devices that allow individuals to track, send, and store health data are gaining market share, they will also come under scrutiny by regulators. Organizations must decide how to safely use these tools and make decisions to ensure interoperability with their systems. Not all medical devices and applications are designed with patient security and privacy in mind.
People love how easy it is to track step counts with a Fitbit or Apple Watch, but as we know, balancing usability with security is a challenging task. Tracking physical activity is one thing, but as these devices evolve to collect more sensitive health information, integrating them with health systems while maintaining patient privacy will be a considerable challenge. It is clear that as health tech evolves, so too must our security practices. These new regulations are only the first step to securing the vast quantities of digital health data that are collected and distributed by third parties not subject to HIPAA requirements.