Years of alarm bells from cybersecurity experts about the vulnerabilities of medical devices are finally being heard by Congress. Senators proposed a new bill this week that would require the Food and Drug Administration to issue cybersecurity guidelines more regularly, and share information about vulnerable devices on its website.
The legislation, first reported by CyberScoop, comes from Sens. Jacky Rosen (D-Nev.) and Todd Young (R-Ind.). The bill comes a few weeks after cybersecurity expert Joshua Corman testified before a Senate committee on the vulnerabilities of medical devices to cyberattacks, and a few months after FDA leaders asked Congress in April to dedicate more funding and authority to the agency around device cybersecurity.
Experts have warned for years that medical devices connected to the internet are major targets for hackers, and that the healthcare industry is unprepared to deal with the threat — which puts both patient data and patient health in danger. Everything from drug infusion pumps to hospital beds can be connected to the internet, leaving them open to exploitation.
Right now, there are no requirements for how frequently the FDA has to put out recommendations for how medical device makers should secure their devices. The last guidance went out in 2018. The agency released new draft guidance in April of this year. The legislation proposed by Rosen and Young would require the FDA to issue guidelines every two years. It would also require that the agency put information about any issues with devices on its website, and offer support to health care workers and companies around those issues.
Issuing regular guidelines for medical device companies could ensure that newer devices coming onto the market are more secure against known cyber threats. But that doesn’t help as much with the devices in use today, which aren’t secure, or help health care organizations keep tabs on emerging problems. Many organizations don’t have staff dedicated to cybersecurity and struggle to even keep tabs on the status of devices that they use. Updates on the FDA website could make the information more accessible.
Even with this momentum, the gaps in healthcare and medical device cybersecurity are enormous. Attacks are increasing and not enough organizations have resources devoted to stopping them. In his Senate testimony, Corman said that he’d always thought that someone would have to die before regulators took action on medical device cybersecurity. Luckily, he said, FDA started working on the problem before that happened — the agency issued the first alert about a specific device in 2015. And the attention to the issue over the past year as cyberattacks increased in severity and frequency is helping to drive changes forward.
But attacks continue, organizations still don’t have the resources to stop them, and it’ll take much more work to shore up protections. “I am more concerned about the cybersecurity of US healthcare than I ever have been,” Corman said in his written testimony.