For years now, healthcare providers have been struggling with the cybersecurity issues posed by medical devices. One study released in December found that internet-connected medical devices have a 24% greater risk for cyberattacks.
However, a new federal law passed late last year offers some relief.
The Food and Drug Administration (FDA) now has the authority and $5 million to establish security requirements for pre-market medical devices. The new law requires the manufacturers of internet-connected medical machines to reasonably ensure that their equipment and related systems are cybersecure, reports Lawfare.
That means that all medical device submissions will soon be required to include a software bill of materials and evidence that demonstrates the product can be updated with software patches, reports SC Media.
The move is being applauded by much of the healthcare industry and cybersecurity community. However, the new law only applies to pre-market devices that are waiting for FDA approval. It’s also unclear when manufacturers will be required to comply with the new rules.
The cyber risks posed by medical equipment has been widely known for years. Back in 2015, security researchers warned hospitals and the public that thousands of medical devices were vulnerable to hacking. That equipment included MRI scanners, X-ray machines, and drug infusion pumps.
In 2020, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to hospitals and other healthcare facilities about dozens of GE Healthcare imaging and ultrasound products used for CT scans, MRIs, mammograms, ultrasounds and positron emission tomography.
In late 2021, the FDA warned healthcare providers that widespread cybersecurity vulnerabilities in commonly used software could affect medical devices by allowing unauthorized users to take control. Other warnings have been issued over the years regarding the cybersecurity issues related to defibrillators, pacemakers.
The medical device security issues add to a growing list of cybersecurity challenges facing healthcare. According to one report, last year nearly 300 U.S. hospitals were impacted by ransomware attacks.
Cybersecurity breaches can result not only in the unauthorized sharing and use of patient and employee information, they can negatively affect patient care.