FDA to include cybersecurity ‘bill of materials’ in medical device premarket guidance

The Food and Drug Administration (FDA) is preparing an update to premarket guidance for medical devices that would recommend that manufacturers provide a list of internal hardware and software to help providers respond to cyberattacks.

The change, which would recommend that device companies submit a “cybersecurity bill of materials,” is one of several efforts by the agency to help hospitals better respond to a cyberattack involving medical devices. The list would include commercial and/or off-the-shelf software and hardware components of the device.

The “significant update” will be published in the “coming weeks,” FDA Commissioner Scott Gottlieb, M.D., said in a statement earlier this week.

“Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats,” he added.

It’s also an update that has been pushed by cybersecurity experts concerned about the risks associated with medical devices, many of which run on older operating systems. A “bill of materials” requirement was included in a report last year by the HHS Cybersecurity Task Force and cited by lawmakers in a letter to HHS late last year.  

Requiring device manufacturers to include hardware and software information will help hospitals and health systems quickly determine whether a specific device is susceptible to a large-scale event like last year’s WannaCry attack, according to Julie Connolly, a principal cybersecurity engineer with MITRE.  

“Right now, for a lot of hospitals, it’s a black box and it’s a black box they can’t touch,” she said. “They are desperate, some of them.”

The FDA also released a new cybersecurity preparedness playbook (PDF) for provider organizations that outlines readiness activities and can help them prepare for an attack on medical devices. Created with the help of MITRE, the guidance builds on existing emergency response procedures providers use for natural disasters with a focus on cybersecurity.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

MITRE has been working with the FDA on medical device cybersecurity since 2014, but it became particularly clear in the wake of last year’s WannaCry and Petya/NotPetya attacks that hospitals needed more support. Generally, larger systems with more resources are better prepared to handle an attack, but last year’s global attack was an eye-opener, Connolly said. Many providers were unsure whether their medical devices were affected and had difficulty getting information from manufacturers.

“WannaCry really caught a lot of people off guard,” she said. “Even the larger resourced hospitals—they were sweating it. It was new and it was an ‘ah ha’ moment.”

Last year’s cyberattacks have certainly raised the profile of healthcare’s vulnerabilities, says Steve Povolny, head of advanced threat research at McAfee. The FDA’s playbook offers clear guidance for providers along with a formalized process for responding to an attack, a resource that is desperately needed in the provider community.

But health systems will still shoulder the burden of building those processes into their emergency response plans.

“Whether [providers] move towards a proactive approach and take those preliminary steps, I think that might be a stretch given the investment we’ve seen so far,” Povolny said.