New security requirements introduced for medical device manufacturers

Sens. Tammy Baldwin, D-Wisconsin, and Bill Cassidy, MD, R-Louisiana, introduced legislation on Apr. 1 that would tackle medical device security and infrastructure by adding manufacturer requirements, as well as ensuring healthcare users are provided with software bills of materials.

The Protecting and Transforming Cyber Health Care (PATCH) Act follows companion legislation introduced in the House of Representatives by Reps. Michael Burgess, MD, R-Texas, and Angie Craig, D-Minnesota on Mar. 29.

The proposed legislation comes in response to the continued impact of ransomware attacks on the healthcare sector throughout the pandemic, which have increased the risks to patient safety. Baldwin notes these attacks “exposed vulnerabilities in our healthcare infrastructure, impacting patients.”

As noted by Burgess, modernizing and protecting the U.S. healthcare infrastructure should be a top priority, which should include ensuring users are properly equipped to deal with foreign or domestic ransomware attacks – especially as threat actors continue to exploit vulnerabilities.

“New medical technologies have incredible potential to improve health and quality of life,” said Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”

Higher security standards for manufacturers

The PATCH Act includes a number of elements that industry stakeholders have long-recommended as effective mitigation strategies for systemic medical device security challenges that have persisted in healthcare, leaving many provider organizations to simply accept a certain level of risk when it comes to vulnerable and/or legacy devices.

If enacted, the legislation would create cybersecurity requirements for manufacturers to gain premarket approval through the Food and Drug Administration, while enabling these vendors to design and maintain patch processes and procedures for devices and systems throughout the lifecycle.

Further, the PATCH Act would mandate the development of a post market cybersecurity plan for identifying, monitoring, and addressing vulnerabilities, in addition to requesting a coordinated vulnerability disclosure from the manufacturer to determine device safety and effectiveness.

Although the bills include a number of measures healthcare leaders have long discussed in recent years, Steve Abrahamson, executive director of technology consulting at EY, explained the legislation appears to only focus on regulated devices and adding new security controls on devices moving forward, rather than addressing “the more dominant issues affecting healthcare security.”

“Attempting to broadly define design requirements for cybersecurity across a broad range of devices may result in added costs with minimal benefits,” said Abrahamson. “A better approach may be to view security at the healthcare delivery level.”

Instead, resources should target improving operational security practices to target both new and legacy devices, as well as non-regulated healthcare information systems, “when considering the added costs that will result from a regulatory approach to medical device security,” he added.

One of healthcare’s largest challenges is its reliance on older, legacy devices that meet their clinical use but weren’t designed with security in mind. The legislation does not appear to contain language that would address those issues.

Further, “medical device manufacturers do not operate the devices they manufacture and have little influence over the operational security measures employed by the healthcare delivery organizations; adding regulatory requirements to the design does not guarantee any benefit within healthcare operations,” Abrahamson noted.

Both House and Senate bills included the same proposed requirements, including the requirements of the SBOM for devices that must be provided to users. In February, Linux research found the healthcare sector leading industries on SBOM adoption, despite its ongoing cybersecurity challenges and vulnerabilities.

The machine-readable data lists software packages, contents, copyrights, and license data for each device to provide transparency into its components. As noted by many healthcare providers, a lack of insight into device components has added to patch management challenges as providers are unsure of whether devices are operating with certain disclosed vulnerabilities.

In response, the Linux report showed that many hospitals are adding the SBOM requirements into their procurement contracts. However, many leaders don’t know how to examine an SBOM, the package manager listings, or open source licensing distribution lists to find risky elements.

As such, even if the PATCH Act passes and the SBOM requirement is added, it’s unclear whether the legislation would also add needed educational elements to make SBOMs more user-friendly. As Abrahamson explained, “Only the manufacturer of the device will have the engineering knowledge of the device required to make this determination.”

Despite these challenges, the FDA has advocated for continued transparency around device elements and risks through the SBOM. In its latest budget request, the agency asked for a $5 million budget increase to develop “a more comprehensive cybersecurity program for medical devices,” including identifying and remediating device flaws that pose a national security risk.

The proposed bills come on the heels of separate healthcare legislation introduced on Apr. 25, which would see the Department of Health and Human Services partnering with Cybersecurity Infrastructure Security Agency to improve the sector’s overall infrastructure.