Chris Harvey, Sedgwick’s Senior Vice President, Brand Protection, explains the findings of its report on medical device recalls.
As medical devices become increasingly connected to the Internet and other digital networks, they also become more vulnerable to cyberattacks. This poses a threat to patient safety and privacy. This increased risk has become a major concern for the healthcare industry. Several high-profile incidents have been reported in recent years involving a range of devices, including IV pumps, MRI machines and heart rate monitors.
Reasons for the increase in cybersecurity threats to medical devices
There are several factors that increase the risk of cyber attacks for medical devices:
- Greater connectivity – The main reason for the increase in cyber security threats to medical devices is their increasing connectivity. Increasingly, medical devices are being designed to connect to the Internet and other digital networks. This improves patient care by enabling remote monitoring, software updates and other features. However, this connectivity also makes devices more vulnerable to cyber-attacks. Hackers can exploit vulnerabilities in software or network connections to gain access to sensitive patient data or even take control of the device itself. In such cases, a recall can be particularly difficult due to the threat to patients’ lives and the need for continued use of the affected medical device if there is no suitable alternative. Manufacturers will face new risks as technology continues to advance.
- Lack of safety standards – As in many other sectors, medical device regulators are working hard to keep up with rapidly evolving technology. However, there are currently no uniform security standards across the industry. This makes it difficult for manufacturers to design devices that are secure by default, and it also makes it difficult for healthcare providers to assess the security of the devices they use.
- Legacy s – Many medical devices are based on old systems that were not designed with modern safety standards in mind, mainly due to a lack of online connectivity. These systems can be particularly vulnerable to cyberattacks and are more difficult to update for modern cyber threats (as well as being more expensive to adapt), making it difficult for manufacturers to patch vulnerabilities or solve other security issues.
- Lack of authority – Finally, there has been a lack of regulatory authority in the medical device industry. The US Food and Drug Administration (FDA) lacked the power to enforce cybersecurity guidelines. While it had offered guidance, it was up to device manufacturers to decide whether or not they wanted to heed those recommendations, and there were no penalties if they didn’t.
To help reduce this growing threat, the Consolidated Appropriations Act of 2023 (HR 2617) that was signed into law in December 2022 included provisions aimed at improving the cybersecurity of medical devices. The omnibus appropriations bill also gave the FDA the authority to set and enforce cybersecurity standards for medical devices for the first time.
How the Consolidated Credit Act will help
In addition to giving FDA more regulatory authority, the Consolidated Appropriations Act (the Act) includes several provisions to improve the cybersecurity of medical devices:
- Reinforcement of safety requirements for medical devices – Manufacturers will need to implement security controls to prevent unauthorized access to devices, protect the confidentiality and integrity of patient data, and ensure the availability of devices in the event of a cyber attack. They will also have to submit a cybersecurity plan to the FDA for review in the premarket approval process.
- Establishment of aftermarket responsibilities – Manufacturers’ plans must also detail their process and procedure for ensuring that post-market software and firmware updates, as well as patches to their devices and related systems, are available to consumers and other interested parties as appropriate necessary
- Improve transparency and accountability – Under the new rules, manufacturers must report cybersecurity incidents to the FDA and affected patients within a specific time frame. They will also be asked to provide updates on the status of remediation efforts and any actions taken to prevent similar incidents from occurring in the future. With recalls becoming more public because agencies are not afraid to call companies through their channels, these rules will address the need to keep patients informed. This also makes it even more important for manufacturers to follow expert advice in establishing recall plans that include how a manufacturer will respond to a product-related crisis and how they will communicate with customers. To prepare, manufacturers should also prioritize mock recall exercises as part of their risk management protocols.
- Encourage collaboration and the exchange of information – The legislation includes provisions to promote collaboration and information sharing between manufacturers, healthcare providers, and the FDA. The FDA will need to establish a public-private partnership to promote cybersecurity in the medical device industry.
- Establish a center of excellence in cyber security – One of the key provisions of the legislation establishes a Cybersecurity Center of Excellence within the FDA. This center will coordinate efforts to improve the cybersecurity of medical devices. The Center’s responsibilities will include developing and implementing cybersecurity standards and best practices, assessing device security, and providing guidance to manufacturers and healthcare providers. While manufacturers may face increased oversight as a result, the dedicated office will provide some clarity on how US regulators will address cybersecurity issues in the medical device industry.
The impact on medical device recalls
The withdrawal of medical devices is also affected by the new Consolidated Appropriations Act. The Act requires medical device manufacturers to include cybersecurity information in their recall reports to the FDA. This information will help the FDA and healthcare providers better understand the cybersecurity risks associated with recalled medical devices.
In addition, the FDA must provide guidance to medical device manufacturers on how to conduct post-market reviews focused on the cybersecurity of medical devices. This guide will help manufacturers identify and address cybersecurity vulnerabilities in devices already on the market. By addressing these vulnerabilities, manufacturers can reduce the risk of future recalls due to cybersecurity issues.
The FDA must also establish a pilot program to evaluate the effectiveness of medical device cybersecurity vulnerability reporting. This program will provide FDA with valuable data on cybersecurity risks and help the agency identify areas where additional measures may be needed.
Overall, the provisions included in the new Act will have a significant impact on medical device safety and product recalls, as well as patient safety. By requiring manufacturers to include cybersecurity information in recall reports, providing guidance on post-market reviews, and establishing a pilot program to evaluate the effectiveness of vulnerability reports, the legislation will help reduce the risk of recalls due to issues of cyber security.
This will not only benefit patients, but also help reduce the financial and reputational risk to manufacturers that often results from product recalls.
The U.S. Congress recently took a bold step in empowering the Food and Drug Administration to better protect medical devices from cyber threats. In a new move, the House and Senate have passed a budget bill that quietly grants the FDA authority to act on those threats. The move raises hopes that the healthcare industry will be better regulated when it comes to security and privacy.
This significant milestone for the healthcare industry was championed by the US Department of Health and Human Services, who have since commended the bipartisan effort that was put forth to push the initiative through. As a result, the FDA now has the power to set up standards and regulations to ensure that medical devices have appropriate safeguards against potential cyber threats.
In this increasingly connected world, the possibilities for medical device threats and malware attacks are seemingly endless. Even though medical device manufacturers are already aware of the potential dangers and make sure to trim down cyber risks, a centralized, governmental agency is best suited for overseeing and quantifying risks for every device made.
The cyber security and privacy of medical devices remains a major concern, especially for those working in the industry. This latest bill has now raised hopes of a more cohesive approach towards the management of such threats. It emphasizes the need for a pro-active stance when it comes to network security, adding a previously missing layer of health IT protection in the US.
Ikaroa, is a tech company that works to develop top-of-the-line cybersecurity solutions to tackle a wide range of cyber threat-related issues. Our commitment is to put forth the best security solutions in order to help secure medical devices and networks. Our services are tailored towards enabling the secure and reliable transfer of data while protecting the privacy of patients. We look forward to collaborating with the FDA in hopes of making substantial progress in protecting healthcare networks across the U.S.