By: Michael Oglesby, Executive Vice President, Services and Innovation
Within the broad realm of the Internet of Things (IoT), connected devices, smart devices, or whatever name you wish to attribute to the increasingly popular trend of connecting consumer goods of all kinds to the Internet, a “Wild West” attitude holds sway. In the same way that people rushed to stake a claim in the American West, attracted by a culture of lawlessness and self-determination, device manufacturers have introduced an incredible variety of products into this new, unregulated frontier, with security concerns often taking a back seat to new features, customer adoption, and speed to market.
Over the past year, one IoT industry segment has received a notable—and necessary—amount of cybersecurity scrutiny, standing in stark contrast to the rest of the market: connected medical devices and equipment. Where the manufacturers of Wi-Fi connected speakers may not be too concerned with security standards, connected medical device manufacturers are facing regulatory pressures to hold themselves to a higher standard.
The threat of cybersecurity vulnerabilities within medical devices is well known—it’s now a popular plot device in movies and TV shows. Though sensationalized there, these risks are very real, and the consequences of lax security controls on connected medical devices could result in compromising and shutting down an entire hospital network as well as causing serious health complications for scores of patients, as seen in the 2017 WannaCry ransomware attack.
So what can we learn from the recent cybersecurity scrutiny of medical-connected devices, and how might the developing regulatory landscape impact the industry as a whole?
Medical Device Security Risks
The health care industry, like all others, is modernizing and embracing digital transformation at an almost alarming rate. And a big part of this is internet-connected medical devices; they are now almost commonplace and have developed their own nomenclature known as IoMT–Internet of Medical Things. These devices aim to enhance patient safety and improve how treatment is delivered through medical technology. Where once you had to make a doctor’s appointment, drive to the clinic, give your device to a nurse, and have the physician review your medical information, with an IoMT device, your medical information is wirelessly uploaded to the cloud and read by your doctor in real time. What could possibly go wrong?
As a cybersecurity professional, I know that building, and most importantly, maintaining a secure system is no small task. By failing to implement security front and center into their product development lifecycle, IoMT devices could be left vulnerable to determined criminal hackers. These vulnerabilities are likely to materialize in serious security incidents, with potentially devastating consequences.
For example, in 2017, cybersecurity experts specializing in medical devices discovered vulnerabilities in a brand of pacemaker that would allow them to modify a patient’s heartbeat and even drain the device’s battery. After learning of this vulnerability, the FDA stepped in, voluntarily recalling 500,000 pacemakers and requiring the device maker to provide firmware updates that would patch these security issues.
Though no confirmed cyberattack of medical devices has been reported, if the medical device industry is hoping to stay one step ahead of cybercriminals, it must ensure that device manufacturers make security a key aspect of their IoMT device designs. In the security industry, we have a saying: “It’s not if you will be attacked, it’s when.”
The FDA Increases Efforts to Address Cybersecurity Concerns
In late 2018, the Department of Health and Human Services Office of the Inspector General (IG) critiqued FDA procedures in assessing post-market cybersecurity risk to medical devices. To fortify the FDA’s core mission “to ensure there is a reasonable assurance that medical devices legally marketed in the United States are safe and effective for their intended uses,” the agency outlined its ongoing efforts in enhancing medical device security.
According to the FDA, “All legally-marketed medical devices have benefits and risks. The FDA clears, authorizes, and approves devices to be marketed when there is a reasonable assurance that the devices are safe and effective for their intended use.”
The results of this new scrutiny by the FDA has resulted in multiple revisions to their guidance on medical device cybersecurity, with the most recent version published in draft form in April 2022. Each new version of their guidance further increases the cybersecurity requirements device manufacturers must consider in both pre- and post- market implementation. The latest guidance goes even farther regarding post-market considerations, calling for cybersecurity to be considered across the entire product development of the device, including ongoing vulnerability and patch management.
As a result of these recommendations, most medical device manufacturers will need to strictly adhere to a set of robust regulatory requirements if they want to pass the FDA safety threshold to legally produce, sell, and distribute their connected medical devices.
Some of these standards include:
- The Open-Source Security Testing Methodology Manual
- U.S. NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
- FDA Premarket Notification 510(k)
- FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2018 Draft)
- EU (European Union) Medical Devices Regulation (MDR)
- UL 2900 set of standards (UL’s Cybersecurity Assurance Program)
In most cases, manufacturers can achieve this through a program of penetration testing and risk assessment, including:
- Assessing risks pertaining to confidentiality, integrity, and availability
- Assessing the ability to provide secure and timely updates and patches
- Assessing and identifying third-party components using software bill of materials (SBOM) processes
- Assessing the threat landscape and building a threat model
- Assessing security use cases
- Performing vulnerability analysis and penetration testing
- Including cybersecurity throughout the entire product lifecycle
Congress Weighs In
Although the FDA currently plays an important role in ensuing security within the IoMT industry, its guidance and enforcement ability are limited. With the recent escalation of attacks on hospitals and medical providers as well as the rise of concerns over medical device cybersecurity, Congress has taken notice, and efforts have been introduced to further strength and empower the FDA. In March 2022, both the House and the Senate introduced bills squarely aimed at addressing security of medical devices and strengthening the FDA’s ability to enforce those guidelines. The Senate bill Healthcare Cybersecurity Act of 2022 and House Bill Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act) contain provisions that could turn the FDA draft guidance into formal requirements.
What Can Other Industries Learn From This?
Industries should take notice that if they don’t address cybersecurity, government regulation could be coming. We’ve seen this trend play out within not only the IoMT space but also critical infrastructure sectors such as oil and gas pipelines and the electric grid. Although no established uniform guidelines for IoT devices currently exist, this is changing and may ultimately extend across industries. Recognizing that many IoT device makers of appliances and other household items have little experience protecting and securing consumer data, the National Institute of Standards and Technology (NIST) is working on recommending steps manufacturers can take to provide IoT cybersecurity for their customers. NIST is also coordinating with both domestic and global stakeholders to develop IoT device security-related capabilities and standards.
As the world leader in unified approach to regulatory compliance as it overlaps with security, we take the approach that in most cases, it’s better to get ahead of the curve and begin implementing standards before they are required, especially as they relate to manufactured technology. It is far less costly for manufacturers to implement principles of “security by design” from the beginning than to go back and attempt to add or retrofit security measures into a process that did not take them into account. NIST guidance will be very helpful in serving as the likely precursor to what may be actual regulatory requirements.
With this in mind, regulatory bodies responsible for other industries in the connected device space should be proactive regarding IoT cybersecurity and learn from FDA’s unified approach toward securing medical devices. Connected devices of all kinds should be subject to a standardized, and in many cases, internationally recognized standard of security. This could help to combat the Wild West mentality in the industry and will also give consumers the desired confidence of knowing that their connected devices, be they refrigerators, speakers, or HVAC systems, are held to the same standards as those used in their hospitals and medical practices.
We Are Here to Help
It’s vital to consider cybersecurity throughout the lifecycle of a product, and we’re here to help. Cerberus Sentinel has extensive experience designing security architectures and performing threat analysis and penetration testing of medical devices. We’ve worked closely with the FDA to ensure our methodologies meet and exceed their standards. Reach out to schedule a consultation to see how we can help.
 See NISTIR 8259A, Iot Device Cybersecurity Capability Core Baseline, published concurrently with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturer See also https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program