In the US, cybersecurity in healthcare products won’t be an afterthought.
Every new medical device with known flaws or that lacks a secure design will be rejected by the US Food and Drug Administration ( FDA ) starting on October 1, 2023, and wo n’t be permitted to be sold on US markets.
A list of new requirements must be met by healthcare manufacturers seeking approval for new health devices.
Worldwide First Consumer SBOM Mandate
The device in question must initially be protected with routine security updates and patches, including for emergency situations, according to a process that must be described by applicants.
The FDA will then be required to receive a software bill of materials ( SBOM) from them that includes commercial, open-source, and off-the-shelf software components.
This was” the first time an SBOM was required by law outside of government agencies mandates,” according to Taylor Lehmann, director of Google Cloud’s Office of the CISO, speaking to Infosecurity at the Mandiant mWISE conference in Washington, DC.
Eventually, even after the device has been approved by the FDA, healthcare providers will be required to submit a plan intended to “monitor, identify, and address” potential cybersecurity issues associated with them.
This final requirement even signals a change in how cybersecurity is handled in the healthcare industry. Due to this, a device would not be removed from the market once it had been approved, even if it was later discovered to be vulnerable. Lehmann, the former chief security officer at Tufts Medicine and Athenahealth before joining Google, said that this time, it might.
These new regulations wo n’t apply to all medical devices. Health devices must be ready to connect to the internet, contain software that could be exposed to a cybersecurity threat, and be considered” cyber devices” under the new cybersecurity rules.
This means that consumer health devices like smartwatches will be covered by the fresh legislation rather than an air-gap device used in a hospital.
the conclusion of the grace period
The Refuse to Accept Policy for Cyber Devices and Related Systems, a guidance document introduced in December 2022 as part of the$ 1.7 trillion Consolidated Appropriations Act, 2023 ( also known as Omnibus ), signed by President Joe Biden, is the source of this first-of-its-kind federal mandate.
Section 524B, Ensuring Cybersecurity of Devices, which mandates that the FDA implement the Refuse to Accept policy, was added to the Omnibus bill to amend the Federal Food, Drug, and Cosmetic Act ( FD&, C Act ).
Healthcare manufacturers were given a six-month grace period after the updated FD&, C Act went into effect on March 29, 2023, during which the FDA did not impose its Refuse to Accept policy.
It will come to an end on October 1.
For hospital CISOs, the game is changing.
According to Lehman, these new requirements are revolutionary for the healthcare sector, particularly for hospital CISOs.
According to him, “most health system networks presently operate illegal devices in terms of security.”
Over 50 % of internet-connected medical devices in hospitals had cybersecurity vulnerabilities in 2022, and 40 % of end-of-life devices had few or no security patches, according to the FBI.
Additionally, a study led by the Ponemon Institute found that cyber-attacks on hospitals have become increasingly common over the past few years, with nearly 89 % of these institutions suffering at least one cyberattack between 2021 and 2022.
” I believe—and hope—that other nations will adopt related legal frameworks and improve the cybersecurity posture of our healthcare systems. Fortunately, Lehmann concluded, most nations in the world tend to agree on the exact standards in healthcare without too much discussion.