[BreachExchange] New security requirements introduced for medical device manufacturers

[Matthew Wheeler]

https://www.scmagazine.com/analysis/device-security/new-security-requirements-introduced-for-medical-medical-device-manufacturers

New security requirements introduced for medical device manufacturers

Jessica Davis

Medical devices are a critical part of healthcare infrastructure. A pair of
bipartisan bills aim to tackle device security challenges by adding
requirements for manufacturers.

Sens. Tammy Baldwin, D-Wisconsin, and Bill Cassidy, MD, R-Louisiana,
introduced legislation on Apr. 1 that would tackle medical device security
and infrastructure by adding manufacturer requirements, as well as ensuring
healthcare users are provided with software bills of materials.

The Protecting and Transforming Cyber Health Care (PATCH) Act follows
companion legislation introduced in the House of Representatives by Reps.
Michael Burgess, MD, R-Texas, and Angie Craig, D-Minnesota on Mar. 29.

The proposed legislation comes in response to the continued impact of
ransomware attacks on the healthcare sector throughout the pandemic, which
have increased the risks to patient safety. Baldwin notes these attacks
“exposed vulnerabilities in our healthcare infrastructure, impacting
patients.”

As noted by Burgess, modernizing and protecting the U.S. healthcare
infrastructure should be a top priority, which should include ensuring
users are properly equipped to deal with foreign or domestic ransomware
attacks – especially as threat actors continue to exploit vulnerabilities.

"New medical technologies have incredible potential to improve health and
quality of life," said Cassidy. "If Americans cannot rely on their personal
information being protected, this potential will never be met."

Higher security standards for manufacturers

The PATCH Act includes a number of elements that industry stakeholders have
long-recommended as effective mitigation strategies for systemic medical
device security challenges that have persisted in healthcare, leaving many
provider organizations to simply accept a certain level of risk when it
comes to vulnerable and/or legacy devices.

If enacted, the legislation would create cybersecurity requirements for
manufacturers to gain premarket approval through the Food and Drug
Administration, while enabling these vendors to design and maintain patch
processes and procedures for devices and systems throughout the lifecycle.

Further, the PATCH Act would mandate the development of a post market
cybersecurity plan for identifying, monitoring, and addressing
vulnerabilities, in addition to requesting a coordinated vulnerability
disclosure from the manufacturer to determine device safety and
effectiveness.

Although the bills include a number of measures healthcare leaders have
long discussed in recent years, Steve Abrahamson, executive director of
technology consulting at EY, explained the legislation appears to only
focus on regulated devices and adding new security controls on devices
moving forward, rather than addressing "the more dominant issues affecting
healthcare security."

"Attempting to broadly define design requirements for cybersecurity across
a broad range of devices may result in added costs with minimal benefits,"
said Abrahamson. "A better approach may be to view security at the
healthcare delivery level."


Instead, resources should target improving operational security practices
to target both new and legacy devices, as well as non-regulated healthcare
information systems, "when considering the added costs that will result
from a regulatory approach to medical device security," he added.

One of healthcare's largest challenges is its reliance on older, legacy
devices that meet their clinical use but weren't designed with security in
mind. The legislation does not appear to contain language that would
address those issues.

Further, "medical device manufacturers do not operate the devices they
manufacture and have little influence over the operational security
measures employed by the healthcare delivery organizations; adding
regulatory requirements to the design does not guarantee any benefit within
healthcare operations," Abrahamson noted.

Both House and Senate bills included the same proposed requirements,
including the requirements of the SBOM for devices that must be provided to
users. In February, Linux research found the healthcare sector leading
industries on SBOM adoption, despite its ongoing cybersecurity challenges
and vulnerabilities.

The machine-readable data lists software packages, contents, copyrights,
and license data for each device to provide transparency into its
components. As noted by many healthcare providers, a lack of insight into
device components has added to patch management challenges as providers are
unsure of whether devices are operating with certain disclosed
vulnerabilities.

In response, the Linux report showed that many hospitals are adding the
SBOM requirements into their procurement contracts. However, many leaders
don’t know how to examine an SBOM, the package manager listings, or open
source licensing distribution lists to find risky elements.

As such, even if the PATCH Act passes and the SBOM requirement is added,
it’s unclear whether the legislation would also add needed educational
elements to make SBOMs more user-friendly. As Abrahamson explained, "Only
the manufacturer of the device will have the engineering knowledge of the
device required to make this determination."

Despite these challenges, the FDA has advocated for continued transparency
around device elements and risks through the SBOM. In its latest budget
request, the agency asked for a $5 million budget increase to develop “a
more comprehensive cybersecurity program for medical devices,” including
identifying and remediating device flaws that pose a national security risk.

The proposed bills come on the heels of separate healthcare legislation
introduced on Apr. 25, which would see the Department of Health and Human
Services partnering with Cybersecurity Infrastructure Security Agency to
improve the sector’s overall infrastructure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220406/7f8bb868/attachment.html>