- Medical Device Security Begins with Health IT Infrastructure
In February, Warner sent letters to AHA, AMA, and other healthcare groups asking for the feedback on reducing cybersecurity vulnerabilities in the healthcare sector.
“As we welcome the benefits of healthcare technology, we must also ensure we are effectively protecting patient information and the essential operations of our health care entities,” he wrote in his letter.
In its response, AHA recommended that manufacturers implement security measures for legacy devices, such as wrapping security precautions around these devices, adding security tools and auditing tools, conducting regular patching of software, and informing providers of security vulnerabilities quickly through clearly identified and consistent channels.
Unfortunately, manufacturers have “little incentive” to implement these security measures for legacy devices because they have already been sold to the providers.
Therefore, the FDA should mandate these security procedures for legacy devices, instead of making them optional, the AHA recommended.
AMA Pushes for Software Bill of Materials for Medical Products
In its letter to Warner, the American Medical Association recommended that makers of medical devices and health IT products provide a software bill of materials (SBOM).
“The AMA strongly supports the creation of SBOMs for all technologies currently in use. An SBOM includes a list of components (e.g., equipment, software, open source, materials) in a given technology and any known risks associated with those components to enable health care providers to more quickly determine if they are impacted by a cybersecurity threat,” the letter said.
An SBOM can help a physician better understand vulnerabilities and prioritize what vulnerability pose the biggest threats to patients. Physicians can better manage risk when the understand the software supply chain and known vulnerabilities contained in an SBOM.
Should a security breach happen, an SBOM can help physicians in identifying and describing open source and third-party software components to enable a rapid response, the AMA argued.
An SBOM can also help a physician conduct a security risk analysis, which is a requirement of the Health Information Portability and Accountability Act (HIPAA). The SBOM can help physicians to accurately assess the risk of medical devices on their networks and mitigate the risk, particularly when patches are not available, AMA noted.
While the AMA stops short of recommending that manufacturers be required to provide SBOMs, the FDA is considering mandating that manufacturers provide an SBOM as part of their premarket submission.
In its medical device action plan released in April last year, the FDA argued that an SBOM would enable customers and end-users to better manage their network assets, be aware of which devices may have vulnerabilities, and help in postmarket mitigation efforts.
In October, the FDA released a draft of its Premarket Submissions for Management of Cybersecurity in Medical Devices in which the agency proposed a cybersecurity bill of materials requirement.
The CBOM would include a list commercial, open source, and off-the shelf software and hardware components that are or could become vulnerable to attacks to enable device users to “manage their assets, to understand the potential impact of identified vulnerabilities to the device (and the connected system), and to deploy countermeasures to maintain the device’s essential performance.”
The FDA recommended that the CBOM be included in device labeling to provide relevant security information to end-users and that the CBOM be cross referenced with the National Vulnerability Databases in a security risk management report about the device.