Unacceptable Risk: Mastering New Vulnerability Management Requirements for Medical Devices

Shlomit Cymbalista
Shlomit Cymbalista

3  min read | min read | 13/06/2024

New Emphasis on Vulnerability Management and Risk Mitigation

A lot has been changing in the world of medical device cybersecurity. Specifically, we’ve seen a distinct emphasis on vulnerability management and risk mitigation. This can be seen through the new requirements to provide a Software Bill of Materials (SBOM) for each new submission, and a postmarket plan for handling new vulnerabilities and cybersecurity risks. Both requirements were highlighted in the 2023 Omnibus Bill (524B(a) of the FD&C Act) and the FDA’s final guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” and have been the focus of great discussion by the regulatory authorities, manufacturers, and healthcare providers. 

The Critical Need for SBOM and Postmarket Plans

The importance and focus on these two particular requirements can be traced back to a 2022 report where the FBI found 53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities, and that there was an average of 6.2 vulnerabilities per medical device. Looking at these numbers, it is easy to understand why regulators wanted to implement security measures to prevent this from continuing. The idea is that medical devices should be designed and developed with security “built in” to the device- but that alone is not enough. Vulnerabilities and how they’re exploited is not stagnant. New vulnerabilities are constantly identified, as well as new ways to exploit them. This is why the FDA requires manufacturers to first educate themselves and report on what vulnerabilities are present in their devices via an SBOM, and develop a plan for handling these vulnerabilities down the line in a postmarket cybersecurity plan.  

Industry Response to New Requirements

So how has the industry been handling these new requirements? It appears that some are faring better than others. In a number of recent interviews with FDA cybersecurity experts, many submission issues or rejections have stemmed from design control documentation deficiencies and SBOMs. To add to this, at the recent Health-ISAC Spring Americas Summit, experts from the FDA’s cybersecurity team noted that the current approach to low risk vulnerabilities that many manufacturers have taken is not sufficient. Manufacturers are required to provide a Cybersecurity Management Plan as part of each submission. This plan defines the post market activities the manufacturer intends to implement to identify, monitor and respond to vulnerabilities, both current and future ones. It is common that at the point of a release, a device may have known vulnerabilities that are deemed low or moderate risk and therefore considered “acceptable risk.” While this may be acceptable at the time of release, the FDA has noted in this recent Health-ISAC Summit that these vulnerabilities must be addressed in the Cybersecurity Management Plan and manufacturers must have steps in place to patch the vulnerabilities, or some alternative mitigation. They noted that it is no longer acceptable to simply state that the manufacturer accepts this risk. 

Aligning with the FDA’s Cybersecurity Strategy

Although frustrating to many manufacturers, this is in line with the FDA’s cybersecurity strategy. Remember, one of the biggest problems facing the healthcare industry is the extraordinary number of vulnerable legacy devices still being used in the field. The FDA wants to prevent this cycle from reoccurring. Vulnerabilities evolve, threat actors get smarter, and new attack vectors are discovered. A low risk vulnerability may become critical tomorrow, or many low risk vulnerabilities in a device can lead to damage to a device maybe just at a slower rate. Imagine a dam with many small cracks. Each individual crack might seem insignificant, but together, they can weaken the entire structure and lead to a catastrophic failure. Similarly, numerous low-risk vulnerabilities can combine to pose a significant threat, just like a single major vulnerability.

Embracing the Cultural Shift in Medical Device Security

These new requirements reflect a necessary evolution that has been unfolding over the years. Although there is still much work to be done to enhance security in our industry, the FDA’s new regulations and the legislative support from Congress via the Omnibus Bill are guiding us toward a more secure and resilient future.

Additional Resources and Continued Learning

We encourage you to follow the FDA on LinkedIn and through their Digital Health Center of Excellence for Cybersecurity. In addition, groups such as Health Sector Coordinating Council (HSCC) provide a continuous stream of  value, and actionable direction for both Healthcare Delivery Organizations (HDO) and Medical Device Manufacturers (MDM). 

How can Sternum help?

Sternum’s patented EIV software technologies provides medical device manufacturers real-time security controls to mitigate exploitations of a wide array of minor and major vulnerabilities. 

Avoid approval delays from missing key cybersecurity mitigations for low risk vulnerabilities, learn more about Sternum for IoT security and Schedule a demo.

JUMP TO SECTION

Enter data to download case study

By submitting this form, you agree to our Privacy Policy.