FDA to include cybersecurity ‘bill of materials’ in medical device premarket guidance

Medical device
New updates from the FDA are aimed at giving hospitals additional resources to respond to a cyberattack that implicates medical devices. (Getty/Ridofranz)

The Food and Drug Administration (FDA) is preparing an update to premarket guidance for medical devices that would recommend that manufacturers provide a list of internal hardware and software to help providers respond to cyberattacks.

The change, which would recommend that device companies submit a “cybersecurity bill of materials,” is one of several efforts by the agency to help hospitals better respond to a cyberattack involving medical devices. The list would include commercial and/or off-the-shelf software and hardware components of the device.

The “significant update” will be published in the “coming weeks,” FDA Commissioner Scott Gottlieb, M.D., said in a statement earlier this week.

New White Paper

Fuel Top Line Growth Across All Lines of Business

Read the latest white paper on how health plans can empower brokers, sales, and marketing teams to increase acquisition and retention rates to achieve their 2020 revenue goals.

“Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats,” he added.

It’s also an update that has been pushed by cybersecurity experts concerned about the risks associated with medical devices, many of which run on older operating systems. A “bill of materials” requirement was included in a report last year by the HHS Cybersecurity Task Force and cited by lawmakers in a letter to HHS late last year.  

Requiring device manufacturers to include hardware and software information will help hospitals and health systems quickly determine whether a specific device is susceptible to a large-scale event like last year’s WannaCry attack, according to Julie Connolly, a principal cybersecurity engineer with MITRE.  

“Right now, for a lot of hospitals, it’s a black box and it’s a black box they can’t touch,” she said. “They are desperate, some of them.”

The FDA also released a new cybersecurity preparedness playbook (PDF) for provider organizations that outlines readiness activities and can help them prepare for an attack on medical devices. Created with the help of MITRE, the guidance builds on existing emergency response procedures providers use for natural disasters with a focus on cybersecurity.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

MITRE has been working with the FDA on medical device cybersecurity since 2014, but it became particularly clear in the wake of last year’s WannaCry and Petya/NotPetya attacks that hospitals needed more support. Generally, larger systems with more resources are better prepared to handle an attack, but last year’s global attack was an eye-opener, Connolly said. Many providers were unsure whether their medical devices were affected and had difficulty getting information from manufacturers.

“WannaCry really caught a lot of people off guard,” she said. “Even the larger resourced hospitals—they were sweating it. It was new and it was an ‘ah ha’ moment.”

Last year’s cyberattacks have certainly raised the profile of healthcare’s vulnerabilities, says Steve Povolny, head of advanced threat research at McAfee. The FDA’s playbook offers clear guidance for providers along with a formalized process for responding to an attack, a resource that is desperately needed in the provider community.

But health systems will still shoulder the burden of building those processes into their emergency response plans.

“Whether [providers] move towards a proactive approach and take those preliminary steps, I think that might be a stretch given the investment we’ve seen so far,” Povolny said.

Suggested Articles

New research suggests that hospitals with strong financial results could do more to help patients in need of charity care.

The House must choose between several competing versions of legislation to tackle surprise medical bills. Here is how they stack up.

A Georgia doctor has been sentenced to 20 years in prison for operating a “pill mill” that dispensed a slew of controlled substances.