BLOG

With the increasing use of software applications to treat, manage or monitor a variety of medical conditions, connected medical devices are an indispensable part of delivering high-quality patient care. In recent years, the importance of internet-connected devices has only intensified with a growing focus on virtual care, personalized medicine, and value-based models. According to a recent market report, the global internet of medical things (IoMT) market is anticipated to grow from $30.79 billion to a staggering $187.60 billion from 2021 to 2028, representing a massive CAGR of 29.5%. As its name suggests, network connectivity is table stakes for devices in the IoMT, and many of these devices are handling an increasing amount of PHI in more sophisticated ways.  

Unfortunately, many of the medical devices in a hospital are not equipped to meet the cybersecurity challenges of the IoMT, and we’ve seen a significant uptick in medical device-related breaches — a trend that has shown no signs of slowing. In fact, of all healthcare organizations that reported data breaches in the past two years, 88% cited a connected device as a contributing factor. Furthermore, one study found that 53% of medical devices have critical vulnerabilities, and the sheer number of medical devices in an average hospital makes it nearly impossible to keep track of the third-party risk each device presents. Additionally, many of these devices, such as oximeters and other monitors, go home with patients and run on their home networks, creating an added layer of complexity and risk. While the implications of any healthcare cybersecurity breach are significant, a medical device cybersecurity breach has the potential to quite literally sever patients from life-saving care.

Recognizing the growth of medical device usage and the unprecedented cost of compromise, the US government has taken action. In December of 2022, the $1.7 trillion omnibus package passed by Congress provided the FDA new authority to introduce regulations on medical device security for manufacturers. This can provide clarity in the notoriously ambiguous area of medical device security for providers and device manufacturers alike, but what will its rollout really mean, and how is it likely to impact your organization? Let’s take a closer look.  

What are the new requirements covered by law?  

The requirements established in the bill allot the FDA $5 million to enforce greater security measures in the manufacturing of medical devices. When creating a new device, a manufacturer must now submit schematics to the government with proof that the device can be updated, patched, and adapted as needed. Specific security controls must also be detailed in these submissions. Once the device reaches the market, manufacturers must provide ongoing evidence that they are monitoring potential vulnerabilities and have a cybersecurity plan in place to remediate any potential issues that arise.  

It is important to note that currently, these requirements are aimed at new medical technology products being brought to market. Questions remain as to how the law may impact products that have been on the market for years since these legacy devices are arguably the most vulnerable. The projected time and cost increases for manufacturers and providers would be significant if the law were expanded to cover already-approved devices; however, many believe these steps are warranted to protect patient safety. This bill represents a promising step in the right direction for improving the future of medical device security. 

What does this mean for manufacturers, healthcare providers, and their patients?  

Naturally, the bill has the largest direct impact on manufacturers, as the timeline of bringing a medical device to market is likely to become longer and more involved, particularly for those manufacturers that do not include compliance considerations early in the design process. However, as manufacturers implement greater security controls into their devices from the start, healthcare providers can gain confidence in the security of the new devices, which is likely to further accelerate the aggressive growth trajectory of IoMT in aggregate.  

These increased security measures will significantly reduce the device-related risk for healthcare organizations and their patients over time. But while the industry waits for more widespread medical device coverage, significant risk remains, particularly among the legacy network-connected devices that present an appealing target for malicious hackers. Addressing this risk necessitates a dedicated focus on medical device cybersecurity by healthcare providers, an area that requires specialized knowledge in order to be safe and thoroughly addressed.  

Looking to elevate medical device security in the age of the IoMT? Contact our team to discover how we can help.