By Connor Walsh
The evolution of the 510(k) process regarding cybersecurity reflects a growing recognition of the importance of securing medical devices against potential cyber threats. However, challenges remain and continued efforts are needed to ensure that medical devices are adequately protected against cybersecurity risks.
In December of 2022, President Biden signed into law the Consolidations Appropriations Act which gave FDA additional oversight into medical device cybersecurity. In response to this, the FDA recently amended the 510K approval process to include new sections strictly requiring medical device manufacturers (MDM) answer questions about their product’s cybersecurity. We hope to dive into some of the important changes and to educate healthcare delivery organizations (HDO) on what they can expect from new medical devices that come to market.
Risk identification and management is extremely important in the world of medical device cybersecurity. How would one apply appropriate mitigations if risks had not been identified or threats modeled? The FDA has done a great job in this space by now requesting the MDMs provide a risk management report, a threat model that addresses end-to-end elements of the system, a cybersecurity risk assessment, and a detailed software bill of materials (SBOM). These documents will allow HDOs to complete accurate risk assessments for the new medical devices that they are installing them in their environment.
A common problem that many HDOs have experienced with medical devices revolves around sound vulnerability management practices. It is very difficult to design a policy when it seems like most MDMs have different patching routines. The FDA has addressed this challenge by requiring information on disclosure requirements for unresolved anomalies on medical devices, cybersecurity testing to ensure the device is hardened, and finally cybersecurity labelling and management plan where MDM patch management policies must be outlined. It will be much easier for HDOs to develop and audit patch management with these additional documents.
In addition to the above, the FDA now requires eight (8) new cybersecurity controls that must be addressed by MDMs. These include authentication controls, authorization controls, cryptography controls, code/data/execution integrity controls, confidentiality controls, event detection/logging controls, resiliency/recovery controls, and firmware/software update controls. There is also a requirement to include how the MDM plans on monitoring their cybersecurity metrics. This is a big benefit to HDOs as it provides clear guidance how cybersecurity will be handled throughout the medical device life cycle.
As reported in the 405(d) Hospital Cyber Resiliency Initiative Landscape Analysis late last year, it was noted that medical devices are typically not a threat vector that adversaries target, but it is one that HDOs must stay diligent with protecting. Every day, it feels like new attacks are placed on HDOs, and the criticality of medical systems could be catastrophic if compromised. The new 510K requirements that the FDA have published make this task much easier and will go a long way in supporting cybersecurity across the medical device space.
