Cybersecurity in Medical Devices: How Did 524B Come About?

Cybersecurity in Medical Devices: How Did 524B Come About?

Section 524B of the Federal Food, Drug, and Cosmetic Act (FD&C Act) emerged after recognizing the need for robust cybersecurity in medical devices.

Background and Predecessors to 524B

Vulnerability of medical devices was known as early as 2008, when an investigative paper analyzed the security and privacy properties of an implantable cardioverter defibrillator (ICD). The researchers reverse engineered the ICD’s communications protocol and implemented software radio attacks that compromised patient safety and privacy.

In 2012, the U.S. Government Accountability Office (GAO) released a medical devices report recommending that the U.S. Food and Drug Administration (FDA) develop a more comprehensive plan for the review and surveillance of medical devices and incorporate multiple aspects of information security.

In 2014, the FDA issued guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (which was updated to the current Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions). The original guidance provided recommendations but was not mandatory; it relied on manufacturers to voluntarily incorporate cybersecurity measures.

In 2016, the FDA released the guidance Postmarket Management of Cybersecurity in Medical Devices, which focuses on cybersecurity maintenance after devices are on the market. It emphasizes the need for ongoing monitoring and risk management, but it’s not mandatory to use this approach.

As can be expected, the adoption of robust cybersecurity practices varied widely among manufacturers. Some proactively implemented them while others lagged. Continued vulnerabilities and incidents reinforce the need for stringent regulatory oversight.

Cybersecurity Incidents That Led to Writing Section 524B

WannaCry Ransomware Attack

In May 2017, the WannaCry ransomware attack spread rapidly across the globe and affected many industries, including healthcare. WannaCry exploited a vulnerability in the Windows operating system, known as EternalBlue, which was leaked from the U.S. National Security Agency (NSA). The ransomware encrypted files on infected systems, rendered them inaccessible, and demanded ransom payments in Bitcoin to decrypt the files.

It’s estimated that 40% of healthcare organizations suffered a WannaCry attack in a six-month period.  The attack affected old and unmanaged medical devices, led to the cancellation of medical procedures, delayed patient care, and caused significant operational disruptions.

WannaCry highlighted the vulnerabilities in medical devices that rely on outdated or unpatched software. It made healthcare providers recognize the need for robust cybersecurity measures, including timely software updates and patches to protect against known vulnerabilities.

URGENT/11 Vulnerabilities

In 2019, security researchers discovered a set of 11 zero-day vulnerabilities, collectively known as URGENT/11, in the TCP/IP software library developed by Interpeak, which is used in various operating systems for embedded devices. These vulnerabilities affected the IPnet stack, which is widely used in real-time operating systems (RTOS) and embedded systems, including medical devices.

URGENT/11 vulnerabilities could be exploited to take control of affected medical devices (e.g., infusion pumps, patient monitors, and imaging systems), disrupt device functionality, gain unauthorized access to sensitive patient data, and potentially cause harm to patients.

The widespread impact of URGENT/11 underscores the importance of third-party software component security and understanding the cybersecurity risks associated with embedded systems in medical devices. There is an undeniable need for comprehensive risk assessments and security measures in the design and development of medical devices.

SweynTooth Vulnerabilities

In early 2020, a series of vulnerabilities known as SweynTooth were discovered in Bluetooth Low Energy (BLE) software development kits (SDKs) from various vendors that affected medical devices like pacemakers, glucose monitors, and insulin pumps.

SweynTooth vulnerabilities could be exploited to crash devices, bypass security mechanisms, and take control of affected devices. Those that relied on BLE for communication were at risk of potentially compromised patient safety because of disrupted device functions.

Thoroughly tested security measures for communication protocols used in medical devices is imperative. There must be mechanisms to update and patch vulnerabilities in deployed medical devices and to ensure ongoing cybersecurity.

How Section 524B of the FD&C Act was Developed

Stakeholders in healthcare, cybersecurity, and patient advocacy voiced their concerns about voluntary cybersecurity measures. They called out the potential risks to patient safety and the integrity of healthcare systems because of vulnerable medical devices. Recommendations for more structured and enforceable cybersecurity requirements came from industry consortiums like the Healthcare and Public Health Sector Coordinating Council (HPHSCC).

The FDA was responsive to these concerns and maintained ongoing dialogue with stakeholders to understand the challenges and gaps in the voluntary framework. The FDA’s engagement included hosting workshops and public meetings and establishing working groups focused on medical device cybersecurity.

Legislative Sponsorship and Drafting

Recognizing the need for legislative action, several lawmakers took the initiative to draft more stringent cybersecurity requirements. The Protecting and Transforming Cyber Health Care Act (PATCH Act) of 2022 (H.R. 7084) advocated for strengthening cybersecurity requirements for medical devices by mandating specific premarket submission information to ensure their safety and effectiveness throughout their lifecycle.

The Cybersecurity in Medical Devices Frequently Asked Questions (FAQ) page on the FDA website provides clear and enforceable guidelines for medical device manufacturers to enhance the security posture of medical devices and ensure patient safety.

Take Action to Secure Your Medical Devices

The passage of Section 524B of the FD&C Act mandates stringent cybersecurity requirements but adhering to these regulations can be challenging.

USDM Life Sciences specializes in helping medical device manufacturers meet these regulatory standards. Our cybersecurity experts ensure that your devices are compliant and secure from emerging threats, protect patient safety, and maintain operational integrity.

Don’t wait for the next cyber threat—contact us today. We’ll tailor a cybersecurity solution that secures the future of your medical technology.

Explore nine steps to meet 524B requirements—download the white paper Understanding FD&C 524B.

Explore more on:

Comments

There are no comments for this post, be the first one to start the conversation!

Resources that might interest you