Medical device regulation is an important part of the healthcare industry as it also helps protect patients by ensuring that any device used for diagnosis, treatment or prevention of a medical condition meets certain standards of safety and quality.
There’s no doubt that medical technology has advanced, and it is set to develop even further in the future. This technological evolution comes with a toll, though. Cyber threats increase exponentially as medical devices and systems become digital and connected.
Cyber attacks on the healthcare industry have consistently increased year after year. One of the worst upticks in attacks was In 2022, which saw an 86 percent rise in the number of weekly attacks compared to 2021.
In response to the worsening cybersecurity situation, governments have been trying to intervene. There have been serious efforts to try to close as many loopholes as government regulation allows.
One of the more recent examples of the acknowledgement of the need for medical device regulation is the appropriations bill passed by the United States Congress just before the end of 2022. It includes provisions that compel companies that make internet-connected medical devices to ensure the security of their products. The bill provides the health and human services authority the power to issue requirements and regulations relevant to the cybersecurity of connected medical devices.
Other countries also have similar regulations or proposals to secure connected medical devices. The European Union has its Cyber Resilience Act, which mandates cybersecurity requirements for IoT products including medical devices.
Japan’s Ministry of Health, Labor and Welfare (MHLW) updated its regulations for medical devices in early 2022 to emphasize cybersecurity. Meanwhile, China’s Center for Medical Device Evaluation (CMDE) has new “guiding principles” for medical software used in 18 product categories.
The United Kingdom is also working on a new bill called the Product Security and Telecommunications Infrastructure Bill, which aims to ascertain the cybersecurity of various web-enabled devices including those used in healthcare.
More governments are expected to pass new legislations and regulations or updates to their existing ones to reflect the new challenges in cybersecurity. Relying on the initiatives of private organizations appears to be no longer an option.
There have been various initiatives including government-and-private collaborations to address emerging cyber threats, but they do not seem enough to keep up with the many ways threat actors exploit vulnerabilities as attack surfaces expand with the increased digitization and connectivity across many aspects of the medical and healthcare industry.
One of the reasons why medical device regulation was inserted in the 2022 appropriations bill of the United States is the surge of vulnerabilities in medical devices. In December last year, the FBI raised the alarm over hundreds of vulnerabilities discovered in widely used medical devices, which create opportunities for cyber attacks.
“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the FBI alert notes. Specifically, the federal agency cited the security infirmities in intracardiac defibrillators, pacemakers, insulin pumps, mobile cardiac telemetry, and pain relief pumps.
Government intervention is necessary because most of the cybersecurity problems in medical devices are not within the capacity and expertise of users to fix. Most devices are deployed and used for several decades without users expected to regularly examine their configurations and firmware.
Many devices are shipped to medical facilities with standard configurations for out-of-the-box deployment. They are then used by hospitals for twenty to thirty years. This creates generous opportunities for threat actors to meticulously look for vulnerabilities or wait for software update glitches that may create windows for intrusion.
Resolving this risk is best addressed by the device manufacturers themselves. As such, it makes more sense to mandate manufacturers to implement security measures to protect these long-term-use devices.
On the other hand, there’s the issue of legacy devices becoming a serious cybersecurity threat. One study estimates that nearly three-quarters of medical devices worldwide still use legacy operating systems. This is a major risk, especially for devices that can directly affect people’s health and lives. Again, this is something best addressed by the manufacturers, and regulation is the only way to compel device makers to be accountable.
Additionally, increased regulation is warranted because public-private cybersecurity partnerships tend to be insufficient. Stanford Cyber Policy Center advisor Jim Dempsey cites the infamous Colonial Pipeline incident in 2021 as proof that governments could do more to bolster cybersecurity amid the inadequacy of private-public cybersecurity cooperation.
Moreover, regulation ensures that the medical devices available on the market are safe. Instead of relying on economic factors to force manufacturers to become more competitive by offering better and more secure products, governments can intervene and ensure that only safe and secure products are made available. Manufacturers can compete in other areas such as the features and longevity of the devices they are offering.
There are sensible criticisms against increased regulation in the name of cybersecurity. One of which is the possibility that it makes organizations less flexible, limiting their ability to respond to specific attacks and innovate to become better at handling cyber threats.
Also, compliance costs can be onerous, which may lead to some organizations focusing on merely complying with regulations instead of actually strengthening their security posture.
Some also assail the lack of expertise and incompetence of legislators or policymakers who push for regulations. The requirements imposed may not actually solve the actual problems, especially with all the corporate lobbying involved. The medical device regulation bit in the 2022 US appropriations bill, for example, was reportedly adulterated or reduced to a less potent form because of lobbying.
The bill passed by the House has a broader definition which may have any of these three attributes: the presence of software or firmware, the ability to connect to the internet, and vulnerability to cybersecurity threats. The version that passed in the Senate, however, limits the definition to the inclusion of all three attributes, not just one of them. This essentially reduces the number of devices covered by the legislation.
Furthermore, there are doubts raised on the ability of governments to properly secure private and sensitive data that may be gathered in the course of regulation compliance. Governments around the world have documented histories of incompetence in handling private data and getting pummeled by aggressive cyber attacks that lead to system downtimes.
If medical technology is advancing, isn’t it enough that cybersecurity technology is also advancing to keep up with the new threats? Security firms regularly come up with new solutions to address emerging threats.
Why is there a need for regulation if this is the case? The answer is simply that there are vulnerabilities that cannot be adequately resolved by device users alone, especially for those involved in the field of healthcare. They have limited resources and are more likely to spend these resources on their core services instead of boosting their IT and cybersecurity teams.