Before medical device manufacturers are able to release a product to market, they are subject to Food and Drug Administration (FDA) reviews to evaluate the safety and effectiveness of these devices. Since 2014, those evaluations have included medical device security guidance, with a subsequent update in 2018. Now, with the explosive growth of connected devices used by hospitals and healthcare providers and a growing number of cyberattacks that have crippled healthcare services, the FDA recently released draft guidelines requiring that devices comprising the Internet of Medical Things (IoMT) meet more stringent cybersecurity standards.
“Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” is a 45-page document that deals with security design, vulnerability disclosures, Software Bill of Materials (SBOMs), and other documentation requirements that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval.
In general, this is a step in the right direction for the FDA. Security needs to be built into the design of medical devices. At the same time, because medical devices have longer lifecycles than typical IT devices, it also means that it may be a while years before new devices falling under this new guidance are deployed. Because of the risks inherent with existing medical devices, healthcare organizations need to take action to secure legacy devices now.
What Is Included in the FDA Guidance for Medical Devices?
New medical device applicants are advised to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits.”
They are also asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” This includes making patches available “on a reasonably justified regular cycle,” and for newfound critical vulnerabilities, “as soon as possible out of cycle.”
Finally, manufacturers must provide the FDA with “a Software Bill of Materials,” including any open-source or other software their devices use. This is one of the new changes in the FDA guidance— a complete SBOM requirement instead a Cybersecurity Bill of Materials (CBOM), as outlined in the 2018 guidance.
Note that even with a manufacturer-provided SBOM, when a zero vulnerability like Log4J or OpenSSL is discovered, it is almost impossible to find out the real composition of the packages and the dependent libraries that was pulled into each package when the software was built and shipped. Sometimes, the manufacturer may have customized and configured functionality and those additional details aren’t released.
Therefore, as the FDA determines the format for manufacturer SBOMs, it is important to ensure that these SBOM declarations are detailed enough to include each and every piece of library that is included in the build. With this FDA mandate, if manufacturers release an SBOM that is accurate and complete, along with configuration settings, Ordr (and our vulnerability matching engine) can immediately assess the risk of these vulnerabilities and understand the exposure and exploitability.
When Does This Mandate Take Effect?
Section 3305 of the spending bill — “Ensuring cybersecurity of medical devices”— is an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect 90 days after the Act became law, and with its new authority, the FDA has given manufacturers six months — until Oct. 1, 2023 — to comply with the new regulations. The new law also requires the FDA to update its medical device cybersecurity guidance at least every two years.
How Can Ordr Help with This Mandate? What About Existing Medical Devices?
Security of medical devices is a shared responsibility. While the FDA mandate can ensure security for a device before it is released to the market, the day-to-day management and security of devices post FDA approvals is the responsibility of healthcare providers and requires a solution like Ordr. Ordr not only maintains an accurate device inventory and monitors devices for vulnerabilities and threats but also delivers device utilization details to optimize operations.
In addition, medical devices are expensive, and a complete upgrade to new devices that adhere to the new guidelines is not operationally feasible or cost effective. Ordr can ensure existing devices (pre-2022 devices) or devices with outdated operating systems in the network can be secured via Zero Trust segmentation policies to restrict access and communications to only enable access required for their role.
We recommend the following approach to secure every connected device. Download our Maturity Guide for connected device security for more details:
- See every device: You can’t protect what you don’t know about. Security starts with real-time, granular visibility of every device connected to your network and how those devices communicate within your environment and externally to the Internet. Every connected device in the hospital including IoMT, IoT, and operational technology (OT), plays a role in either patient care or hospital operations. Ultimately, the security of every device in the hospital can impact hospital services and patient safety, therefore real-time visibility into every device is essential.
With regard to the new 2022 FDA mandate, Ordr can ingest SBOMs as manufacturers make them available, to enable easy visibility across the entire organization. Ordr Software Inventory Collector can complement manufacturer SBOMs by identifying applications for devices running Windows, iOS, and Linux operating systems.
- Know your attack surface: The attack surface for healthcare organizations can range widely. Organizations need to be able to identify the following risks within their connected devices
- Vulnerabilities – CVEs need to be prioritized and patched. Ordr offers full lifecycle vulnerability management capabilities to identify these vulnerabilities, prioritize them based on impact to a hospital (I.e., clinical risk), track and tag them for appropriate remediation workflows, and generate reports on them. Ordr also integrates with CMMS, CMDB tools to enrich their view of vulnerabilities, and ITSM systems to create tickets and manage workflows for remediation.
- FDA or manufacturing recalls – To meet compliance requirements, it is important to identify devices that have been recalled either by the FDA or manufacturers. Ordr integrates with FDA and manufacturing databases to provide insights and help hospitals identify impacted devices.
- Exploits and active threats – To protect healthcare organizations from active threats, Ordr offers an integrated intrusion detection system (IDS) that can inspect East West and North South device communications for active threats. Devices that are impacted by top security issues such as OpenSSL, Log4J, Solar Winds, and Conti, are highlighted in a unique security category in the Ordr dashboard for easy analysis.
- Anomalous behavior – Unlike most IT systems and software, medical devices, and many IoT and OT devices have deterministic functions. Ordr uses machine learning (ML) to baseline normal behavior for every device. From that baseline Ordr identifies deviations which can be an indication of attack or compromise including zero-day activity. In addition, Ordr can dynamically create policy to help ensure a rapid response enabling teams to contain and stop an attack.
- Track who is using your devices – By tracking and associating devices to users, Ordr can identify compromised devices and potential account misuse.
- Reacting to Zero Day events: By ingesting SBOMs and utilizing Ordr’s Software Inventory Collector, organizations can react quicker to Zero Day events. There is no need to wait for manufacturers to determine if devices are running a vulnerable application. Ordr correlates all the application information from both SBOM and Software Inventory Collector into one searchable database.
- Secure with automated policies:
- During an incident, quickly prevent lateral movement by pinpointing compromised devices and creating policies to quarantine the device, block ports or terminate sessions.
- Implement Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing only “normal communications” required for its function, while limiting exposure.
- When a new IoC (indicator of compromise) is announced, identify whether a device communicated with the malicious domain in the past 365 days.
The Ordr platform is trusted by the world’s leading healthcare delivery organizations. Schedule a demo with our product experts to see how we can secure your connected devices.