Medical device regulation is an important part of the healthcare industry because it also helps protect patients by ensuring that any device used to diagnose, treat or prevent a medical condition meets specific safety and quality standards.
no doubt medical technology has advanced, and will develop further in the future. However, this technological development comes at a price. As medical devices and systems become digital and interconnected, cyber threats grow exponentially.
Cyber Attacks on the Healthcare Industry Continued growth year after year. 2022 is the year with the worst attack growth, with an 86% increase in weekly attacks compared to 2021.
In response to the deteriorating cybersecurity situation, governments have been trying to intervene. Serious efforts have been made to try to plug as many loopholes as possible, as government regulation allows.
one of the most recently admitted examples The Necessity of Medical Device Supervision It is an appropriations bill passed by the U.S. Congress by the end of 2022. These include provisions mandating companies that make connected medical devices to ensure the security of their products. The act empowers health and human services agencies to issue requirements and regulations related to the cybersecurity of connected medical devices.
Other countries have similar regulations or proposals to protect connected medical devices. The European Union has its Cyber Resilience Act, which sets out cybersecurity requirements for IoT products, including medical devices.
Japan’s Ministry of Health, Labor and Welfare (MHLW) updated medical device regulations in early 2022 to emphasize cybersecurity. Meanwhile, the China Center for Medical Device Evaluation (CMDE) has established new “guiding principles” for medical software used in 18 product categories.
The UK is also working on a Product Safety and Telecommunications Infrastructure Actwhich aims to determine the cybersecurity of various network-enabled devices, including those used in healthcare.
More governments are expected to pass new legislation and regulations or update existing ones to reflect new challenges in cybersecurity. Relying on initiatives from private organizations no longer seems to be an option.
There have been various initiatives, including government and private partnerships, to address emerging cyber threats, but they do not appear to be sufficient to keep up with the multiple ways in which threat actors exploit vulnerabilities, as the attack surface increases with the digitization and connectivity of many aspects of the network expanded medical and healthcare industry.
One of the reasons for inserting medical device regulation in the US 2022 appropriations bill is the proliferation of medical device vulnerabilities.In December, the FBI issued an alert hundreds of vulnerabilities Found in widely used medical devices, this creates an opportunity for cyberattacks.
“Cyber threat actors exploiting vulnerabilities in medical devices are adversely impacting healthcare organizations’ operational functions, patient safety, data confidentiality, and data integrity,” the FBI alert states. Specifically, the federal agency cited safety flaws in defibrillators, pacemakers, insulin pumps, mobile heart telemetry and pain relief pumps.
Government intervention is necessary because most cybersecurity issues in medical devices are outside the capabilities and expertise of users. Most devices have been deployed and used for decades, and users do not expect to check their configuration and firmware on a regular basis.
Many devices ship to healthcare facilities in standard configurations out of the box. They were then used by hospitals for twenty to thirty years. This creates ample opportunities for threat actors to scrupulously hunt for vulnerabilities or wait for software update failures that could create windows of intrusion.
Addressing this risk is best left to the device manufacturer itself. Therefore, it makes more sense to force manufacturers to implement security measures to protect these long-lived devices.
On the other hand, legacy devices become a serious cybersecurity threat.One study estimated that almost three quarters of medical devices The world is still using legacy operating systems. This is a significant risk, especially for devices that directly affect people’s health and lives. Again, this is a problem best addressed by manufacturers, and regulation is the only way to force device manufacturers to take responsibility.
In addition, increased regulation is necessary because public-private cybersecurity partnerships are often insufficient.Jim Dempsey, a consultant at the Stanford Cyber Policy Center, cites the infamous Colonial Pipeline incident in 2021 to justify the government’s More can be done to strengthen cybersecurity In the absence of public-private cybersecurity cooperation.
Furthermore, regulations ensure that the medical devices available in the market are safe. Rather than relying on economic factors to force manufacturers to become more competitive by offering better, safer products, governments can intervene and ensure only safe and reliable products are provided. Manufacturers can compete in other areas, such as the functionality and longevity of the equipment they offer.
There are sensible critiques of increased regulation in the name of cybersecurity. One is that it may reduce the agility of organizations, limiting their ability to respond to specific attacks and innovate to better handle cyber threats.
Additionally, the cost of compliance can be high, which can lead some organizations to only focus on complying with regulations rather than actually strengthening their security posture.
Some have also attacked lawmakers or policymakers pushing for regulation for lack of expertise and incompetence. Imposed requirements may not actually solve real problems, especially if all corporate lobbying is involved. For example, the medical device regulatory component of the US 2022 appropriations bill was reportedly adulterated or reduced to a less potent form as a result of lobbying.
The House-passed bill has a broader definition that could have any of three attributes: the presence of software or firmware, the ability to connect to the internet, and vulnerability to cybersecurity threats. However, the version passed in the Senate limits the definition to include all three attributes, not just one. This substantially reduces the number of devices covered by the legislation.
In addition, there are doubts about the government’s ability to properly protect private and sensitive data that may be collected during the compliance process. Governments around the world have a documented history of being incapable of handling private data and suffering from aggressive cyberattacks that bring systems down.
If medical technology is advancing, isn’t it enough that cybersecurity technology is also advancing to keep up with new threats? Security companies regularly come up with new solutions to address emerging threats.
If this is the case, why is regulation needed?the answer is simple There are loopholes Device users alone cannot adequately address these issues, especially for those involved in the healthcare field. They have limited resources and are more likely to spend those resources on core services rather than augmenting IT and network security teams.