- FDA has warned the Biden administration that recent ransomware attacks on hospitals and health systems “highlight the ungraceful failure” of perimeter-based firewalls and the safety consequences of not separating operational technology (OT) from information technology (IT).
- The agency voiced its concerns for the healthcare sector and specifically medical device cybersecurity in a response to a National Institute of Standards and Technology call for position papers to fulfill President Joe Biden’s executive order signed last month, which seeks to bolster U.S. cyber posture amid growing hacker threats.
- FDA’s document provides its current OT cybersecurity practices and efforts while laying out its support for NIST’s goal of developing software-related standards and guidelines especially for a Software Bill of Materials, an electronically readable format designed to provide an inventory of third-party components in devices. The agency contends that SBOMs, which were called out in Biden’s order, are essential to securing the software supply chain and are critical to managing safety risks to patients.
Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, warned last month that cyber threats to the healthcare and medtech industries, including ransomware and other malware, are growing in sophistication potentially putting patient safety at risk.
“Everything is hackable,” Fu told the Food & Drug Law Institute annual conference in May, noting that medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
A report from Moody’s Investors Service late last month also issued a dire warning that ransomware attacks will continue among large healthcare providers for the foreseeable future and that these attacks could even lead to patient deaths — as was the case for a hospital in Europe.
FDA, in its response to NIST’s call for position papers on enhancing software supply chain security, referenced several 2021 cyberattacks including ransomware that disabled the Irish Healthcare Service and disrupted a hospital for weeks.
The agency also noted a “fundamentally new problem” in which “ransomware remediation disrupted the cloud services necessary for critical function of cancer radiation therapy rather than simply disrupting electronic health record systems and other, more traditional hospital IT infrastructure.”
FDA concluded that such increasingly common ransomware attacks on healthcare “highlight the ungraceful failure of perimeter-based firewalls and the safety consequences of not separating [operational technology] from [information technology] by design.”
Operational technology (OT) refers to technology that monitors and controls specific devices, while information technology (IT) refers to the application of network, storage, and compute resources directed toward the generation, management, storage, and delivery of data.
The FDA’s document urged NIST and the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to continue with and enhance their present approaches to the development of standards and guidelines for OT security by leveraging public and private sector experts.
“Increasing communications on existing science and engineering principles, standards, and guidance can translate into improvements in OT cybersecurity, which has a fundamentally different risk management calculus from traditional IT cybersecurity,” states the FDA’s document, which summarizes the agency’s current practices and efforts “presently underway for OT cybersecurity in the greater medical device security ecosystem.”
Software supply chain security is one essential part of managing risk to patients, according to FDA. The agency in 2018 issued draft premarket guidance proposing thinking on regulatory approaches for SBOMs, legacy software policies, and manufacturer responsibilities for providing regular software security updates.
That same year, NTIA launched a multi-stakeholder initiative to improve software component transparency across several industries with SBOMs, including medtech, by standardizing the process for sharing the data so users can better understand what exactly is running on their networks.
“FDA has been involved with and supportive of the NTIA multi-stakeholder work on SBOM since its inception. Many medical device and healthcare stakeholders, including FDA, have been instrumental in developing the schemas, formats, and other outputs from the NTIA process, and many such stakeholders are beginning to adopt these outputs,” states the agency’s response to NIST.
Going forward, FDA recommended that NIST closely examine the NTIA work on SBOMs “as part of their exploration of guidelines for software integrity chains provenance.”
However, Biden’s executive order raises some issues related to SBOM standardization, according to Zach Rothstein, AdvaMed’s vice president for technology and regulatory affairs.
While AdvaMed is “very supportive” of the SBOM concept, the medical device lobbying group wants to see uniform standards for the electronically readable format to ensure that device manufacturers “don’t have to create 10 different versions of the same document,” Rothstein told the FDLI conference last month.