FDA shores up cybersecurity requirements for medical devices
Below: A fertility app settles with the FTC for allegedly sharing data with China-based companies, and Montana enacts a TikTok ban. First:
FDA shoring up requirements for medical devices as cyberthreats increase
Medical devices still face significant cybersecurity threats, a federal official warned this week.
Brian Mazanec, the HHS deputy director of the office of preparedness, told a House panel that HHS found that nearly all hospitals it surveyed had some devices running operating systems that are no longer supported or software with known vulnerabilities.
Now, stricter laws for device manufacturers are in play after President Biden signed the 2023 omnibus package at the end of last year: Device makers are required to give key cybersecurity information to the Food and Drug Administration (FDA) before they go on the market.
But the FDA so far isn’t being strict about device cybersecurity requirements. The agency has decided to not yet outright reject applications for new devices. They’re giving device sponsors until October to work out discrepancies.
It’s evidence that regulators are willing to work with industry on the approval approach, a senior administration official told The Cybersecurity 202, speaking on the condition of anonymity to candidly discuss the Biden administration’s work in the area.
- The push for stronger device protections is part of the administration’s broader push to protect critical infrastructure like pipelines and electric grids, the senior official added.
- “If you look at ongoing ransomware attacks against hospitals … we realized that many critical companies were not implementing cybersecurity basics” that make it harder for attackers to compromise devices and health systems, the official said.
The FDA defines medical devices as any instruments, machines or implants that are designed to treat, prevent or diagnose a disease. That can range from something as simple as an electronic thermometer to an MRI machine or heart monitor.
The diversity of medical devices — as well as their pervasiveness — makes them a unique area for cybersecurity.
Medical devices face potentially greater cyberthreats as the devices become more complex, Jessica Wilkerson, senior cyber policy adviser and medical device cybersecurity team lead in the FDA’s Center for Devices and Radiological Health, told me. She cited a tongue depressor, the popsicle-stick-like device that pushes down someone’s tongue for a throat examination, as a basic example of a medical device that doesn’t bring cyber concerns with it.
But a device that delivers a treatment to a patient is a different story, she said. A doctor might evaluate the dosage amount remotely, or the device might be connected to another device or piece of software running in the cloud. “That kind of remote capability opens up the potential for that remote capability to be interrupted,” she said.
Medical devices’ connectivity and interoperability in health-care settings like hospitals means that if one system goes down, another is likely to follow, said Michelle Jump, CEO of MedSec, a medical device cybersecurity solutions company.
- The North Korea-linked 2017 WannaCry ransomware attack, which affected the U.K.’s NHS hospital operations, was a major wake-up call for the device industry, she said.
- “Ransomware is a huge problem that can cripple a hospital once it gets into the system because everything’s connected. And if all the connection points are vulnerable, you’re in for a world of hurt,” she said.
The additional authorities
The FDA previously put into effect guidance for before and after a device is approved for sale. But those guidelines were not legally binding. The new language in the omnibus legislation puts FDA requirements for medical device companies into law and gives the FDA a $5 million boost to hire people to enforce those rules.
The rules went into effect in late March, but federal officials say they won’t necessarily outright reject applications for new devices. Instead, they say they’ll try to work with submission sponsors until Oct. 1 to address any deficiencies.
- It’s a major effort between industry and regulators, and Wilkerson said the FDA is currently undertaking an effort to hire and train new staff to be able to review medical device cybersecurity information. It’s also working to develop a program that can respond to medical device vulnerabilities.
- Comprehensive guidance for how to design and maintain security features in medical devices over their entire product life cycle is scheduled to be released by the end of September, she added.
- There was no traditional public comment period for the rules. At least one industry group has weighed in on the guidance. As Politico reported in March, “The Medical Imaging & Technology Alliance said it welcomes the FDA’s flexibility on implementing the cybersecurity provisions.”
The amended rules focus heavily on ensuring that manufacturers can prove they have a plan to deal with cybersecurity vulnerabilities that surface after their product is released, such as being able to send patches to devices on a regular basis and update critical vulnerabilities in devices as needed.
Manufacturers would also have to provide regulators with a software bill of materials, which is like an ingredient list of code, tools, processes and other components that make up their software. They’d also have to require outside researchers to test devices for vulnerabilities and publicly disclose any discovered vulnerabilities.
“Based on what we had been seeing … we believed that it would benefit the entire sector to have these additional authorities to really emphasize how critical cybersecurity is to patient safety,” Wilkerson said.
Like any regulation, implementing these practices is another challenge.
Foundational requirements for resilient medical devices can be easily outlined, but “it really takes the industry to go the next mile and design and implement these systems,” said Kevin Fu, a computer science professor at Northeastern University and the FDA’s first acting director of medical device cybersecurity.
- “The good news is that a lot of the science and engineering from cybersecurity and medical device design have reached the [device] industry, but it’s not universally or even widely deployed yet,” he said.
- For instance, some devices have their original passwords, allowing malicious hackers to break in more easily.
The processes for installing extra device protections can get highly technical and it’s not realistic for the end-user of a device to be responsible for them, Fu said. And manufacturers might struggle with the level of detail required to prove that a product is ready for market use, MedSec’s Jump said.
But the circumstances are being met with sympathy. “[The FDA] is trying to future proof right now, which is understandable,” she said. “You clear these devices today, and you know that some of them are going to be used for the next 20 years.”
Fertility app settles with FTC, attorneys general over allegedly sharing sensitive data
Easy Healthcare, which owns fertility app Premom, has settled with the Federal Trade Commission and three attorneys general for a total of $200,000 over allegations that it shared sensitive user data with two China-based companies without consent, our colleague Tatum Hunter reports.
The pair of China-based firms are known for “suspect privacy practices,” according to the D.C. attorney general. The attorneys general for Connecticut and Oregon also worked with the FTC on the settlement. Easy Healthcare agreed to stop sharing the information.
When the Supreme Court overturned Roe v. Wade, it unleashed privacy fears about digital privacy and fertility apps.
- This marks the third time this year that the FTC has taken prominent action against digital health companies for allegedly sharing user information.
- A Washington Post investigation last year found privacy shortcomings in popular digital health apps.
Meta set to face biggest E.U. privacy fine to date
A record European Union privacy fine looms for Meta, according to Bloomberg News’s Stephanie Bodoni.
“Ireland’s data protection commission will punish the social network giant for failing to heed a top court warning aimed at protecting users’ data from the prying eyes of US security services once it’s shipped to servers across the Atlantic,” Bodoni writes.
- Bloomberg News reported that the fine will exceed the previous record fine of more than $800 million dealt to Amazon in 2021. (Amazon founder Jeff Bezos owns The Washington Post.)
- The Bloomberg News story doesn’t give a precise amount of the fine that Meta is facing.
Meta has warned that a ban on U.S. data transfers could lead to it suspending Facebook services in Europe. Meta declined to comment to Bloomberg News.
Montana enacts country’s first complete TikTok ban
Montana Gov. Greg Gianforte (R) on Wednesday signed into law a complete ban on TikTok, making it the first state to do so, as our colleague Erica Werner reports.
“Today, Montana takes the most decisive action of any state to protect Montanans’ private data and sensitive personal information from being harvested by the Chinese Communist Party,” Gianforte said in a statement.
China-based ByteDance, the owner of TikTok, opposed the legislation, as did the American Civil Liberties Union. ByteDance said it has never given U.S. citizens’ information to the Chinese government. The ACLU and TikTok both say the ban raises free-speech concerns. A legal challenge is expected.
- Some U.S. states, the Defense Department and other nations have prohibited the use of TikTok on government devices, and in some cases, all devices that personnel use. Montana had already been among them.
- The ban that Gianforte signed Wednesday would fine TikTok and app stores $10,000 for making it available in Montana.
- The Montana ban is set to go into effect Jan. 1, assuming a court doesn’t block it.
“Because Montana can’t establish that the ban is necessary or tailored to any legitimate interest, the law is almost certain to be struck down as unconstitutional,” said Jameel Jaffer, executive director of the Knight First Amendment Institute at Columbia University.
House hearing details cyber resilience efforts for energy, water and healthcare (Cybersecurity Dive)
Leak suspect shared classified secrets with foreigners, prosecutors say (Devlin Barrett)
There’s now even less reason to blame Clinton for the Russia probe (Philip Bump)
FBI: Agents set to testify on alleged abuses had clearances revoked over security concerns (Jacqueline Alemany)
Russian scientists, experts in hypersonic technology, arrested for treason (Francesca Ebel)
Computer in Russia breached Metro system amid security concerns, report says (By Justin George and Ian Duncan)
Philadelphia Inquirer hit by apparent cyberattack amid election coverage (Kyle Melnick, Adela Suliman and Kim Bellware)
- The Center for Strategic and International Studies holds its event to launch a report on cyber operations at 10 a.m.
Thanks for reading. See you tomorrow.