BLOG

White House and FDA Launch New Medical Device Security Plan

Published On August 3, 2021

Blog Post by Nick Keys, Manager at Meditology Services

The FDA has announced a plan to improve cybersecurity practices for medical devices in response to the White House’s effort to bolster cybersecurity across the supply chain.

Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, has warned of cyber-attacks not just affecting technology that stores and processes data, but also affecting technology directly responsible for patient health.

For example, a recent ransomware attack on the Irish Healthcare service disrupted normal operating procedures in one hospital for weeks. The key issue pointed out by the FDA has been the inability to distinguish IT (technology that stores and processes data) with OT (Operational Technology that operates and controls specific devices).

Moving forward, there will be a heavy focus on the regulation and implementation of a Software Bill of Materials (SBOM), which is “an electronically readable format designed to provide an inventory of third-party components in devices.” SBOMs are going to be an important focus to secure software in the supply chain and create transparency for medical device security.

The White House Responds to Supply Chain Attacks

Joe Biden’s administration has been trying to stay ahead of the curve for regulating national cybersecurity, passing a $6 Trillion (yes trillion) bill that would allocate about $110 million for the Cybersecurity and Infrastructure Security Agency, $750 million responding to “the SolarWinds incident”, and $86 Million towards the Office of the National Coordinator for Health IT. All that money is a good step, but what are we to do with it going forward?

NIST hosted a virtual workshop on June 2nd and 3rd in response to the Executive Order on Improving the Cybersecurity of the Federal Government (14028) that was issued on May 12, 2021. One of the biggest calls to action was enhancing software supply chain security, which has lacked formal mandate authority. The FDA, in agreement with NIST, stated that the latest ransomware attacks “highlight the ungraceful failure of perimeter-based firewalls and the safety consequences of not separating [operational technology] from [information technology] by design.”

You can learn more about President Biden’s executive orders on supply chain risk in our related CyberPHIx podcast episode where we provide a full rundown and analysis of the orders.

Patient Safety Risks from Supply Chain Attacks

Medical device security goes beyond the reaches of just impacting patient information privacy but putting individual’s well-being at risk, which can lead to serious injury or even death as was the case in one European hospital. One area for improvement is with standards and regulations. This is where the Software Bill of Materials comes in. Think of a SBOM as “kind of like an ingredient label for the software components that are in a medical device.” This will allow for better transparency for what kind of technology is being used in these medical devices. This information will drive for better decisions down the road, as well as more effective and consistent patching of these devices.

But the development of SOBMs is just the start. The FDA has encouraged NIST and the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to keep expanding on ideas and to reach out to the experts on both the public and private sector to improve OT security.

Meditology’s Perspective

There are many areas for improvement but beginning the process to provide clarity for the software supply chain is a great start to an arduous journey. Meditology has over a decade of experience in assessing medical device security. We have been at the forefront of building a medical device program informed by strong recommendations by the FDA, MDISS, HIMSS, HITRUST among others.

We offer the following medical device security programs:

Medical Device & IoT Inventory and Risk Assessment - Budget friendly starting point; includes a comprehensive risk assessment, medical device and IoT discovery and inventory, and a prioritized corrective action plan
Medical Device Security Remediation - Full service offering to orchestrate the patching and remediation of known vulnerabilities for your medical device assets; includes managed services for project management, coordination with vendors, coordinating stakeholders and downtime, and patching of devices
Medical Device Program Blueprint - Unmatched medical device security program that will accelerate your medical device security intuitive and take advantage of lessons learned from leading health systems. Adopt practices developed for premier healthcare organizations and avoid re-inventing the wheel on medical device security
Managed Medical Device Security Program - Full-service solution that includes the development and implementation of your medical device security program from end-to-end