Last October, the U.S. Food and Drug Administration (FDA) issued a call for comments to new guidance from the agency on the cybersecurity vulnerabilities of networked medical devices that can be implanted in patients and communicate medical data to a monitoring system that forwards the data to health care providers. The FDA’s comment period closed last week, and now the agency is reviewing more than 40 comments before issuing final guidance.
The FDA has been addressing the topic of security for implanted medical devices for at least 10 years, and there has been no reported hacking attack yet directed at device users. The FDA issued its first warning in 2015 for an infusion pump system that was vulnerable to an attack that could interfere with the pump’s function. Since then, the agency has issued five statements and updates, all related to implantable cardiac devices.
In general, these medical systems can be attacked through holes in their network security systems. The cardiac devices typically communicate with a monitoring device in a patient’s home and then transmit the data to a central system located with the health care provider. Both wired and wireless networks are vulnerable.
To combat these security threats, the FDA has proposed that device makers submit a “cybersecurity bill of materials” (CBOM) to the agency for premarketing review. The CBOM would include a list of commercial, open source and off-the-shelf software and hardware that either is or could be vulnerable to attack.
As might be expected, the proposal has supporters and opponents, Among the supporters, Kaiser Permanente commented that a CBOM included as part of a device’s risk management system would improve both device purchasing and maintenance choices.
Opponents have suggested that the CBOM be replaced by a software-only bill of materials, arguing that including hardware would be too difficult to implement. According to a report at GovInfoSecurity, a medical device trade group, Advanced Medical Technology Association (AdvaMed), has proposed the software-only BOM to include “a list of commercial off-the-shelf software or open source software components … limited to version and build.”
Recalling 2018’s discovery of the Spectre and Meltdown vulnerabilities in nearly every computer chipset manufactured since the 1990s, GE Healthcare noted that a CBOM could include “hundreds of programmable chipsets” embedded in a single computer workstation and GE could see “no value” to disclosing so much hard-to-gather information.
AdvaMed also objects to the FDA’s proposed two-tier structure for medical devices. Tier 1 includes implanted defibrillators and pacemakers, infusion and insulin pumps and network-connected systems like monitors and programming devices. Tier 2 are devices that aren’t included in Tier 1. In its comments, AdvaMed noted:
We believe FDA should remove the two-tiered approach in favor of a single risk-based approach that addresses the agency’s cybersecurity expectations based on the exploitability of a device vulnerability and the severity of patient harm – if exploited.
GE Healthcare suggests adding a third tier of devices designated as low-risk, such as devices that require physical access in order to be exploited. Presumably, such access would be severely restricted.
Kaiser Permanente, meanwhile, argues for stricter network security:
Devices can be risk vectors for the enterprise and patients without causing direct harm. For example, a network security vulnerability in a device could allow exposure and/or modification of patient data in the electronic medical record resulting in patient harm indirectly.
Lacking regulatory guidance, the brunt of the costs and liabilities related to medical device cybersecurity vulnerabilities is currently borne by health care providers. Providers, like Kaiser, want device makers to assume the burden of cybersecurity. The device makers, like Medtronic, are willing to accept some regulation but want to stop well short of full responsibility. The FDA’s task is, as usual, not a simple one.