‘Underfunded’ FDA fails to ensure medical devices are protected from cyberattacks, experts say
This audio is generated automatically. Please let us know if you have any comments.
As the risk of cyberattacks on medical devices continues to rise, the Food and Drug Administration isn’t doing enough to ensure device makers include adequate security in their products, experts say.
They say part of the problem is that the agency lacks the funds and trained staff to assess the cyber risk the devices carry and enforce the rules it has on the books for approving devices.
“I’ve spoken to device manufacturers, particularly product security managers at device manufacturers, saying that they’ve been telling their organizations for a year or two that they need to include cybersecurity in their submissions or else they’re going to get rejected,” said Mike KijewskiCEO of a medical device cybersecurity company MedCrypt. “Yet for some of their recent submissions, they didn’t have a lot of cybersecurity documentation and they were still accepted by the FDA.”
Christopher Gates, director of product safety for a medical device engineering company Velentiumshared similar concerns about FDA consistency on the issue.
“I’ve seen things approved for use in the operating room that had no mention of cybersecurity, nothing about mitigations,” Gates said.
Cyberattacks remain a significant risk to healthcare companies. ECRI Patient Safety Group reported 173 medical device cybersecurity alerts over the past five years. The organization warned that cybersecurity incidents don’t just disrupt business operations, but can “pose a real threat of physical harm”. For example, ransomware attacks against hospitals can cause device failures that disrupt patient care and, at worst, endanger lives.
The FDA has released orientation project in April, which details what makers of cybersecurity information devices must include when applying to have devices and the software that runs them approved by the agency, and the U.S. House of Representatives has passed a bill that would codify the FDA’s authority to implement cybersecurity requirements.
Additionally, the FDA sees a “continuing increase” in the number of devices that include software functionality, or some degree of connectivity, FDA spokesperson Jeremy Kahn written in an email. The agency declined to say how many devices would need to submit cybersecurity information as part of the pre-market review process, but noted that “due to these trends, we expect the majority of submissions will require a cybersecurity assessment”.
The problem isn’t that the FDA’s cybersecurity guidelines are lacking, but that device makers view the guidelines as optional, and the agency lets devices without adequate cybersecurity protection pass through its approval process, Kijewski said.
Still, the new guidelines are more detailed and robust than the agency’s last version in 2018, Kijewski added.
It focuses on maintaining cybersecurity throughout the life of a medical device and requires a “software bill of materials,” effectively a list of the software components of a device, he said.
The new directive also differs from the previous version in that it no longer classifies devices by cybersecurity risk, a change from the previous version of the directive, intended to “encourage all manufacturers to take appropriate cybersecurity risks,” Matthew Hazelett, cybersecurity policy analyst for the Center for Devices and Radiological Health, said during a webinar in June..
Meanwhile, device makers and at least one major trade group say the current FDA rules are too restrictive and should be phased in gradually.
In the comments submitted, Philips Healthcare raised concerns that the amount of information and level of detail is not appropriate for all types and risk classes of devices, urging the agency to “reconsider the breadth and depth of information requested in pre-market submissions”.
AdvaM Trade Grouped also wrote July 10 comments that cybersecurity requirements should be risk-based and that the FDA should provide a two-year implementation timeline.
Velentium’s Gates said it would prefer the new guidelines to be aligned with other standards, such as those developed by the International Organization for Standardization, which are used by several countries as the basis for their quality management systems. Apart from its cybersecurity guidelines, the FDA is adopting ISO 13485 to align US manufacturing guidelines with international standards.
“When you interpret these concepts, not necessarily their iteration of how to achieve them, they are actually very good concepts,” Gates said, adding that the FDA is “woefully underfunded” for cybersecurity.
A tight labor market
The FDA is ask Congress for approximately $5.5 million in 2023 to develop a cybersecurity program for devices, including hiring additional staff.
Currently, the FDA has only three people fully dedicated to medical device cybersecurity. While other staff members support its cybersecurity work, they have other responsibilities within the medical device portfolio, according to the agency.
“The FDA has declared its critical need for additional resources to advance its medical device cybersecurity work through budget appropriation requests,” Kahn of the FDA wrote.
The most likely use of the funds, Gates said, could be training staff to be more consistent in pre-market review. For example, cybersecurity requirements could be added to a checklist, and if companies don’t meet them, the agency could refuse to accept the device for review.
The FDA could also use the funds to provide training for field investigators. Gates said the $5 million probably wouldn’t give the agency enough staff.
“IT cybersecurity folks go to a real premium, integrated cybersecurity folks, even better,” Gates added. “To go and hire these people directly and compete with private industry, they don’t have the salary for that.”
Even in the private sector, in medical device companies, hiring has been slow. While the top 15 medtech companies have outpaced the national average in tech hiring growth between 2021 and 2022 year-to-date, they have lagged in hiring for positions cybersecurity, according to an analysis of job postings by the information technology trade association CompTIA.
The reason for this is unclear, wrote Tim Herbert, director of research for CompTIA, in an emailed statement. This could be because medtech companies are prioritizing hiring in other technology areas such as software development and data science, or they might choose to outsource a larger part of the job to experts dedicated to cybersecurity.
“Because the labor market is so tight for cybersecurity talent, it can be difficult for medtech companies to compete with all other employers in the rare talent market, and they may pursue more of an internal development strategy. talents. upgrading and reskilling existing staff,” Herbert wrote.
In the meantime, legislation is pending in Congress that would also add some “bite” to the FDA requirements. The Chamber has included cybersecurity requirements that manufacturers must adhere to during the pre-market approval process, such as part of the legislation to reauthorize FDA user fee programs. The Senate has yet to pass a version of the user fee bill.