Scott Trevino, Senior Vice President of Cybersecurity, TRIMEDX12.14.22
The U.S. Congress is considering three significant legislative proposals regulating medical device cybersecurity, and the FDA is finalizing its medical device cybersecurity guidance addressing pre-market expectations for device manufacturers. These government actions will aid healthcare systems in shoring up their cybersecurity defenses, but healthcare systems must take additional independent actions to fill security gaps.
Two significant healthcare data breaches occur daily, and more than two-thirds of patient care organizations have been victims. Each breach may have life-or-death consequences. Nearly one in four organizations experienced increased mortality rates after a ransomware breach, and 70% reported longer lengths of stay and poorer patient outcomes due to delays in procedures and testing. On top of patient care impacts, breaches cost healthcare systems more than $10 million on average, higher than any other industry.
An industry report conducted by Ponemon Institute shows healthcare organizations have 26,000 network-connected devices on average. More than half have a known cyber vulnerability, exposing them to cyberattacks. Federal help is needed to combat breaches, but organizations cannot wait for the government to step in. They should act now to protect their patients.
The FDA is finalizing its medical device security draft guidance. The recommendations provide original equipment manufacturers (OEMs) with a cybersecurity device design approach to address safety through the complete product life cycle, starting with premarket QMS considerations. The document also asks OEMs to consider cybersecurity essential to the FDA's Quality System Regulation (QSR) and establish a Secure Product Development Framework to reduce vulnerabilities.
Other legislation under consideration includes the Strengthening Cybersecurity for Medical Devices Act and the Protecting and Transforming Cyber Health Care (PATCH) Act. The former requires the FDA to create a report identifying medical device cybersecurity challenges, regularly update guidance, and publish information on resources and strategies to improve medical device security. The PATCH Act mandates that OEMs provide pre-market disclosures about a medical device's security.
Congress rejected a Medical Device User Fee Act amendment to give the FDA authority to require OEMs to include certain cybersecurity information before a device goes to market.
Cybersecurity teams should start their strategy with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The process involves:
Accurately quantifying an organization's risk requires a complete inventory of all medical devices. Inventory inaccuracies may be as high as 40%, leaving many vulnerabilities unaddressed. With an accurate record of devices and their known vulnerabilities, use, location, and risk to patient safety, cybersecurity teams can make informed decisions about remediation priorities. Mitigating risks may involve installing an OEM-validated security patch. If none are available, healthcare systems might consider removing a device from the network, putting it on a segmented network, or disposing and replacing.
A comprehensive technology-enabled medical device cybersecurity solution can strengthen a cybersecurity plan by managing inventory, monitoring, and flagging vulnerabilities. In November, FDA published an updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to aid healthcare systems in preparing for a medical device breach.
The federal government acknowledges the risk cyberattacks pose to patient care, but the legislative process is laborious and lengthy. Cybersecurity cannot be delayed. Employing a robust medical device remediation strategy in the interim is critical for healthcare systems to protect patients and their data.
Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity, he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.
Two significant healthcare data breaches occur daily, and more than two-thirds of patient care organizations have been victims. Each breach may have life-or-death consequences. Nearly one in four organizations experienced increased mortality rates after a ransomware breach, and 70% reported longer lengths of stay and poorer patient outcomes due to delays in procedures and testing. On top of patient care impacts, breaches cost healthcare systems more than $10 million on average, higher than any other industry.
An industry report conducted by Ponemon Institute shows healthcare organizations have 26,000 network-connected devices on average. More than half have a known cyber vulnerability, exposing them to cyberattacks. Federal help is needed to combat breaches, but organizations cannot wait for the government to step in. They should act now to protect their patients.
Federal Action on Medical Device Cybersecurity
The legislation closest to passing is the Healthcare Cybersecurity Act. Under the bill, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services must collaborate on improving cybersecurity measures in medical facilities and provide risk and mitigation training for healthcare personnel. The Senate Committee on Homeland Security and Governmental Affairs amended the House bill and recommended its passage.The FDA is finalizing its medical device security draft guidance. The recommendations provide original equipment manufacturers (OEMs) with a cybersecurity device design approach to address safety through the complete product life cycle, starting with premarket QMS considerations. The document also asks OEMs to consider cybersecurity essential to the FDA's Quality System Regulation (QSR) and establish a Secure Product Development Framework to reduce vulnerabilities.
Other legislation under consideration includes the Strengthening Cybersecurity for Medical Devices Act and the Protecting and Transforming Cyber Health Care (PATCH) Act. The former requires the FDA to create a report identifying medical device cybersecurity challenges, regularly update guidance, and publish information on resources and strategies to improve medical device security. The PATCH Act mandates that OEMs provide pre-market disclosures about a medical device's security.
Congress rejected a Medical Device User Fee Act amendment to give the FDA authority to require OEMs to include certain cybersecurity information before a device goes to market.
Preparing for Legislation
While each proposal supports medical device security, each healthcare system must enact its own cybersecurity policies to experience the maximum benefits. Instead of waiting for Congress, organizations should take proactive steps now.Cybersecurity teams should start their strategy with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The process involves:
- Identifying device risk, policies, and legal requirements.
- Protecting networks with safeguards.
- Implementing detection strategies.
- Creating a response and recovery plan.
Accurately quantifying an organization's risk requires a complete inventory of all medical devices. Inventory inaccuracies may be as high as 40%, leaving many vulnerabilities unaddressed. With an accurate record of devices and their known vulnerabilities, use, location, and risk to patient safety, cybersecurity teams can make informed decisions about remediation priorities. Mitigating risks may involve installing an OEM-validated security patch. If none are available, healthcare systems might consider removing a device from the network, putting it on a segmented network, or disposing and replacing.
A comprehensive technology-enabled medical device cybersecurity solution can strengthen a cybersecurity plan by managing inventory, monitoring, and flagging vulnerabilities. In November, FDA published an updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to aid healthcare systems in preparing for a medical device breach.
The federal government acknowledges the risk cyberattacks pose to patient care, but the legislative process is laborious and lengthy. Cybersecurity cannot be delayed. Employing a robust medical device remediation strategy in the interim is critical for healthcare systems to protect patients and their data.
Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity, he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.