Medical equipment like medical tablets do many things besides display patient medical records (EMR) or real-time patient vitals like heart rate. Many also provide limited protection from cyber attacks. This extended to medical devices, many of which are vulnerable to hackers.

New federal government regulations look to close that hole in cybersecurity of medical devices. We cover that new guidance today, and why it’s especially important in modern healthcare. We also go into how medical computers will continue to protect medical devices and patients they’re attached too. 

FDA’s Newest Law on Cyber Security for Medical Devices

In March, the US Food and Drug Administration (FDA) issued guidance requiring cybersecurity for medical devices. It is far more extensive and detailed than a similar, 30 page postmarket management documentation back in 2014. 

The four major key points of note in the guidance are now as followed:

  • Medical device manufacturers wanting FDA approval for new devices during the premarket approval phase must provide “reasonable assurance” that the device in question is protected from cyber attacks. 
  • Must provide how they plan to “monitor, identify, and address” cybersecurity vulnerabilities and threats on their devices.
  • Make available firmware updates, patches, and post-market software to the device and any and all related systems.
  • Provide a “software bill of materials” or SBOM for their devices. It is to include all commercial, off-the-shelf, and open-source software as well as software components. 

The FDA, per the new guidance, is required to work with the US Cybersecurity and Infrastructure Security Agency (CISA) in providing updates on cybersecurity in medical devices. The first will be issued in 2025, with new ones to be periodically released as needed.

Medical devices submitted this year before October 1st for premarket approval will not receive a refusal to accept from the FDA. Instead, the agency which will work with the device manufacturers in verifying their cybersecurity readiness. Starting on October 1st, however, the agency will refuse submissions that don’t comply with the above guidelines. These include previously approved devices that have been resubmitted on and after Oct. 1st. 

Penalties for non-compliance of the new cybersecurity for medical devices rules are up to $15,000 for each violation, which is not to exceed $1,000,000 total in a single proceeding. This doesn’t include any other violations of medical device application regulations. 

Reaction to the new guide has been swift and positive. “It’s super exciting,” said Naomi Schwartz, senior director of cybersecurity quality and safety at MedCrypt, a cybersecurity solution provider for medical devices and manufacturers. “There hasn’t been a change like this allowing regulatory bodies in the U.S. to go after something for cybersecurity for the last decade.”

Richard Staynings, chief security strategist with Cylera and adjunct professor of Cybersecurity and Health Informatics at the University of Denver, agrees. “Finally, after more than a decade of pressure from cybersecurity leaders and healthcare providers, manufacturers of medical devices are to be held to a much higher standard of security design, manufacture and support of the devices they produce and sell, or lease to providers.”

Long-time Need In Cybersecurity for Healthcare

The recent action by the FDA has been long anticipated. Cyber security for medical devices has been a big challenge to the healthcare sector for some time. Reasons range from complex IT networks to continuous use of legacy equipment and devices. All these and more make medical devices vulnerable to be hacked.

A 2022 FBI report on unpatched and outdated medical devices revealed that more than 50 percent are open to cyberattack in the US. Highlights from the report include: 

  • Each medical device currently on the market has on average 6.2 vulnerabilities to cyberattacks. 
  • Insulin pumps and pacemakers have particularly serious cybersecurity issues.
  • 40 percent of devices used for end-of-life care have no protection against cyberattacks.  
  • Around half of all hospitals have been the target for ransomware.

Legacy medical devices with outdated software are especially of concern, noted the report. That is because the average medical device remains in active use for 10 to 30 years depending on the device maker. This allows hackers plenty of time and opportunity to access them with many  lacking even basic security features.

The lack of security has massive financial consequences. Ransomware attacks cost healthcare between $250,000 and $500,000 per attack. Data breaches of protected health information (PHI) can cost over 10 million according to one report by IBM. 

“Businesses need to put their security defenses on the offense and beat attackers to the punch,” states Charles Henderson, Global Head of IBM Security X-Force. “It’s time to stop the adversary from achieving their objectives and start to minimize the impact of attacks. The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases.” 

Using Medical Computers to Provide Cybersecurity for Medical Devices

The healthcare industry, until the release of the guidance, has borne the brunt of responsibility in the cybersecurity of their networks. Many of the policies are valid and should definitely continue. The continued use of medical computers, tablets, and medical box PCs aid in the cybersecurity for healthcare by:

Authentication hardware

Many cybersecurity breaches do not happen online but in the simple, but still very effective, means of stealing the computer hardware. Medical computers with built-in authentication features like an RFID scanner and/or CAC reader make access much much more difficult without an authentic staff members’ RFID badge or CAC card. 

Single Sign On

Coupled with authentication hardware is software like Imprivata single sign-on. This allows healthcare IT (HIT) to authenticate users and staff members as they log into their workstations. HIT can quickly block out hackers once they become aware of their activities while still granting access to rightful ones across the facilities networks. 

Legacy ports

As previously mentioned, many hospitals and other medical facilities continue to use devices and equipment even after they’re no longer supported by their original manufacturers. Medical computers with legacy ports allow access to these legacy devices, while providing many modern protections against cyberattacks. 

Enabled TPM

Trusted Platform Module, or TPM, is a tiny chip that is usually built into a computer motherboard or in the processor (CPU).  It’s designed to protect the data used to authenticate a particular computer. It does so by splitting its encrypted authentication keys between itself and the computer hard disk. If the TPM chip is removed, the computer will not boot to the drive.  Or if a hacker somehow stole the hard disk and tried to access it by attaching it to another computer, it’ll fail as well.  

Closing Thoughts

Providing cybersecurity on medical devices has long fallen on hospitals, clinics, and other medical facilities. The new law by the FDA, which went into effect back in March, now directs medical device manufacturers in keeping their products cyber secure in the marketplace. 

Contact an expert at Cybernet in learning how medical computers continue to protect vital patient information safe from hackers, and how they complement the new FDA guidelines.