Cybersecurity Check-Up: Always A Good Time To Prepare to Protect

Summertime can be full of opportunities to relax and recharge. However, it can also be a time where cyber outages, risks, and vulnerabilities can be at their highest while guards are down, particularly around the holidays. While not a cybersecurity attack, Crowdstrike recently felt the strain of a cyber outage affecting multiple industries, sending a good reminder that our cyberspace is not infallible and requires regular attention and preparation to prepare and protect from malicious actors.

While Cybersecurity Awareness Month is not until October, there is no time like the present to brush up on some of the risks, vulnerabilities, and strategies for preventing intrusions in medical devices. In recent years, the FDA has been busy issuing recommendations for addressing and/or otherwise preparing for cybersecurity risks. A summary of their steady flow of actions can be found here. We’ve also blogged on cybersecurity risks here, here, and here.

In March of 2024, the FDA issued a draft guidance, Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act, that proposed updated cybersecurity recommendations to the industry, as well as recommendations for documentation in device premarket submissions. In the guidance, the recommendations focus on addressing cybersecurity in the premarket context where manufacturers must demonstrate a reasonable assurance of safety and effectiveness on devices that contain cybersecurity risks. This requires software validation and various risk management practices. When final, the guidance will supersede “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” issued September 27, 2023.

As previously reported, medical devices are vulnerable to attacks on a myriad of fronts. A common area of vulnerability involves unauthorized third parties or hackers obtaining information that may allow them to compromise a medical device via public information provided by certification agencies, device manuals and patent databases. A second vulnerability is that not all operating systems are compatible with one another, which leads to misconfiguration and vulnerabilities through gaps in security. Attacks may also involve medical devices that are already compromised, which can be used to attack other health care organization networks. Having less encryption on medical devices, while beneficial for emergency access, also presents opportunities for attacks. Other reasons include late or a lack of software updates and/or basic security features to prevent tampering, as well as there being a lack of knowledge, awareness, and education on cybersecurity issues and best practices.

Implantable medical devices, such as pacemakers, are a favorite for hackers to test and penetrate their vulnerabilities. For example, hackers have been able to modify the devices’ transmitter and send various types of malicious programming commands such as depleting the batteries and memory storage, changing the patients’ heartbeats and/or sending electric shocks. As of 2023, the FDA ordered that such implantable medical devices must meet specific security guidelines, including making patches periodically available. We also previously reported on the FDA’s overall best practices for preventing cybersecurity breaches in medical devices, which can be summarized as follows:

1. Limit access to only trusted users with passwords and/or other dual/multi-factor identification methods;
2. Ensure only trusted content within the device through encryption;
3. “Detect, respond, and uncover,” through various early detection and alert procedures;
4. Create a risk management plan to analyze, detect, and assess threat sources (includes performing mock cybersecurity attacks to preemptively identify vulnerabilities);
5. Be proactive and practice good cyber hygiene (e.g., regular password updates);
6. Remediate through patches (updates) or fixes (e.g., automatic updates); and
7. Maintain business relationships with software vendors and ensure they are providing you with timely information about any quality and/or security problems.

Companies being proactive and identifying potential vulnerabilities in their medical devices in the past year include steps taken for the Alaris system and the Paceart Optima cardiac system.