Medical device cybersecurity: FDA wants bill of materials

Featured image

Share this article

Hospital operating room with medical devices that need cybersecurity

As modern medical devices evolve in sophistication, they also pose new risks to patients, hospitals, and healthcare organizations.

The FDA has called for a bill of materials to keep medical devices a step ahead of cybersecurity vulnerabilities. 

The aim is to have manufacturers disclose other vendors’ software that may be a part of their software or firmware. This would give healthcare IT security staff more control over software vulnerabilities in medical devices. 

Minimizing risk between users and manufacturers

Organizations are often unaware that the software or firmware they’re purchasing has software embedded in it from another manufacturer.

The FDA’s bill of materials informs users about vulnerabilities and patches issued from vendors. Risk mitigation controls can also be set up on the medical device until the patch is available. 

Currently, manufacturers are responsible for reporting vulnerabilities to the Common Vulnerabilities and Exposure (CVE) report. If it doesn’t affect the product or if the report is not reviewed, end users can be left in the dark about the risk to the software.

The bill of materials encourages users to be alert to CVEs from manufacturers.   

IT challenges for the medical industry

Ironically, more opportunities for a breach have arisen in the implementation of the bill.

While it demands that manufacturers disclose any software partners when submitting a medical device to the FDA for approval, the early disclosure of software partners can become useless when devices are dropped for better solutions. 

And since the medical device’s manufacturer is not always present at each hospital, remote updates can introduce vulnerabilities for attackers to exploit.

CIOs and CISOs will need to maintain a secure network while opening entry points for manufacturers’ updates. Sealing devices in a cryptographic tunnel may work in combination with network security vendors who can provide a hardware root of trust, zero trust networks, and layer 2 over layer 3 encryption.   

Conclusion  

Managing the cybersecurity of medical devices will require more planning to secure each shared connection and prevent attackers from stealing patient data. Organizations will have to take a proactive approach to attacks, instead of only focusing on critical vulnerabilities as they happen. 

 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022