Last month, the United States Food and Drug Administration (FDA) issued long-awaited guidance for properly securing medical devices. The new requirements include comprehensive plans for handling cybersecurity issues and adopting common practices like threat modeling before a device receives approval for public use.
As with many regulations related to cybersecurity practices, the new FDA requirements fall firmly into a "necessary but not sufficient" bucket. Yes, these are long-awaited and much-needed steps in the right direction that were received with much fanfare. Unfortunately, they are also regulations that must deal with the complexities of evolving attack patterns, thousands of manufacturers, and balancing forward-looking requirements with threats posed by millions of in-use devices.
The regulations will absolutely improve the security posture of individual devices. In a world where 53% of connected medical devices contain critical risks, and 73% of IV pumps have risks that would impact patients if exploited, the requirement to have highly trained security experts examine devices has long been needed.
As powerful as threat modeling is, it does not relieve the burden of defense in depth faced by device manufacturers and the hospitals that deploy their technologies. The reality is that securing healthcare facilities is incredibly difficult - which is precisely why the entire healthcare industry is the primary focus of attacks and experiences the highest costs related to data breaches.
Fortunately, healthcare leaders are not battling ransomware attacks and data breaches alone. On top of their traditional (and aging) IT infrastructure, a wide range of new technologies is adapting, leading protections from other industries to the specific needs of healthcare.
Beyond pre-release activities like threat modeling and penetration testing, forward-thinking hospitals are beginning to adopt approaches to securing the thousands of in-place devices they already have. From automatic device detection based on network traffic to segmenting networks to minimize the spread of attacks, these network-level protections provide an additional layer of security on top of the individual device requirements now being regulated by the FDA. The more advanced among them, including my employer, Cynerio, can also detect and respond to ransomware attacks that in-place systems miss.
Overall, the FDA should be applauded for the newly released regulations. As with any regulation, there are sure to be blindspots and unexpected edge cases, but as a whole, this is a massive positive step forward. To help the broader healthcare community understand these new FDA regulations and additional protections that leading facilities are adopting, I look forward to getting perspectives on this from other experts in the industry in the upcoming Ed TALKS webinar "Modernizing Medical Device Security: A New Perspective on Old Practices," on Wednesday, June 21, at 1 pm ET / 10 am PT.
About Chad Holmes, Product Evangelist, Cynerio
Chad heads up thought leadership for Cynerio, a company committed to addressing healthcare cybersecurity challenges of insecure IoT, IoMT, OT, and unmanaged “shadow” IT. He is an experienced security architect, penetration tester, and evangelist focusing on engineering and cybersecurity education. He has worked for software security industry trailblazers like Security Innovation, Cigital, Veracode, Red Hat, and Accenture. Chad is a frequently sought speaker at industry conferences and has a large following for his healthcare security blog and webinar series.