FDA Introduces Cybersecurity Modernization Plan to Prevent Hacking of Medical Devices

Federal regulators have released a new series of cybersecurity enhancements, which are designed to prevent hacking of medical devices, by adopting a “Zero Trust” rule.

The U.S. Food and Drug Administration (FDA) and the Office of Digital Transformation (ODT) announced the Cybersecurity Modernization Action Plan (CMAP) on November 17, as part of an ongoing effort to reduce the growing risk of medical devices being hacked due to security vulnerabilities.

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

During the pandemic, the FDA warned that there was an increase in reconnaissance activities, denial of service, attempted exploitation, and other cyber issues against the digital infrastructure. The agency reported a 457% increase in issues which include almost 10 billion firewall and intrusion blocks monthly.

The agency indicates this increase in hacking attempts poses a significant threat to its operations of a global technology enterprise. Therefore, the FDA announced it will continue to leverage innovative tools and technologies like machine learning, AI, data sharing, collaboration platforms, and high-performance computing.

To further combat cybersecurity threats, the FDA and ODT are adopting a Zero Trust strategy which aims to only grant authorized personnel with access to necessary information. Officials stated this approach will limit the ways in which information can be intercepted or released.

The key elements outlined in the Cybersecurity Modernization Action Plan include:

• Establish a comprehensive Zero Trust approach to facilitate new digital services and modernization efforts.
• Promote software assurance best practices that include security measures at every stage of the development lifecycle
• Enhance interoperable and secure data exchange, and collaboration across FDA and its public health partners.
• Leverage Artificial Intelligence/Machine Learning (AI/ML) technologies to enhance cyber detection and response capabilities.
• Integrate counterintelligence and insider risk principles with the Zero Trust model to enable an intelligence driven approach.
• Prioritize and invest in FDA’s cybersecurity workforce.

The plan is to create a high-skilled cyber workforce with the latest technology and processes to adapt to the modern cybersecurity landscape, officials said. The cybersecurity threats endanger many different parts of people’s lives, including their medical health.

Since 2019, the FDA has taken actions against cybersecurity attacks with its releases of the Technology Modernization Action Plan (TMAP), Data Modernization Action Plan (DMAP) in 2021, and Enterprise Modernization Action Plan (EMAP) this year.

Medical Device Cybersecurity Attacks

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The FDA issued a cybersecurity warning on September 20, alerting medical device users that the Medtronic MiniMed 600 Series Insulin Pump System has a communication protocol that could allow unauthorized use. The agency warned this exploit could be used to cause the pumps to deliver too much, or too little, insulin, which could prove fatal.

This warning came after a previous one made in March 2019 regarding vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

Other announcements have been made over the past few years similar to the Medtronic MiniMed issues. The Department of Homeland Security (DHS) and the FDA released a medical device cybersecurity warning, titled “URGENT/11”, on October 1, 2019, which detailed how certain medical devices that communicate over a network may contain vulnerabilities, potentially allowing hackers to remotely take control of the device and change its functions.