Medical device manufacturers face a conundrum. To meet recent FDA requirements, which were initially introduced a little over a year ago, they now need to quickly provide postmarket updates and patches for their devices to address cybersecurity vulnerabilities and ensure their ongoing safety and effectiveness.
However, medical device manufacturers know all too well that patching takes significant time and engineering resources, is difficult to accomplish for Class II and Class III medical devices, and often interrupts development plans when a vulnerability arises unexpectedly.
The reality is, the healthcare industry remains one of the most targeted critical infrastructure sectors each year. And while patching is important to secure devices postmarket, there needs to be more to the story to give software manufacturers a leg up over would-be attackers.
What the FDA Guidance Calls For
The FDA recommends that manufacturers should have a “plan for the rapid testing, evaluation, and patching of devices deployed in the field.” For cyber devices, this plan is required as part of the premarket submission process. Software manufacturers need to be able to demonstrate their ability to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits.
While the focus on testing, vulnerability identification, and patching hits the right notes for secure software development, medical device manufacturers can take their security a step further, meeting FDA requirements more efficiently while also adding mitigations up front to protect devices.
Patching’s Perfect Complement
While patching focuses on resolving security issues after the fact, there are promising new opportunities to make patching more efficient and to deploy software protections that can defend a medical device in the field even before a patch is available.
One approach is to adopt security solutions that provide runtime exploit prevention. This security technology is embedded within software applications to allow an already deployed device to defend itself against attack.
Runtime exploit prevention is able to protect devices from attacks like malware, code injection, backdoors, zero-day vulnerabilities, and memory-based attacks.
While runtime exploit prevention doesn’t eliminate the need to patch, it is immensely helpful in medical device scenarios where time is of the essence and applications are frequently difficult to update. Preventing exploits at runtime significantly reduces the severity and risks of unpatched vulnerabilities, providing much needed protection within an application itself.
Benefits of Proactive Security
There are several benefits to using proactive security solutions like runtime exploit prevention.
- Strengthen Premarket Submissions: By using solutions that prevent exploits at runtime, manufacturers can demonstrate as part of their cybersecurity management plan how they are implementing security that goes beyond just patching to provide immediate protection to devices, eliminating the timeframe from vulnerability disclosure to patch that leaves devices open to exploit. Runtime solutions allow device manufacturers to demonstrate how they are lowering risk in devices postmarket with the ability to prevent exploitation of future vulnerabilities and zero days.
- Smooth Out the Patching Process: When medical devices have runtime technology applied, manufacturers can take a more measured approach to patch management. First, manufacturers can assess a vulnerability’s severity and evaluate whether their existing protection measures prevent exploitation. If the vulnerability cannot be exploited due to these protections, manufacturers have more flexibility in their patching timeline since the devices remain secure. Manufacturers can align security updates with planned software upgrades, group multiple patches together, and reduce the overall frequency of updates required. This approach is particularly beneficial for Class II and III medical devices, as it maintains security while making the update process more efficient and less disruptive to healthcare operations. Rather than rushing emergency fixes, manufacturers can schedule patches strategically, leading to a more stable and manageable update process.
- Reduce FDA Re-approvals: Another challenge to quickly patching devices is the need to go through lengthy FDA re-approvals to apply patches to fielded devices. By having protections in place that allow you to minimize the frequency of patching updates, you won’t have to complete as many FDA re-approvals, which add cost and timeline to the release of new versions.
- Increase Medical Device Software Resilience: Vulnerabilities in medical devices continue to rise each year, and connectivity to broader healthcare systems increases the potential damages from an attack. Additionally, medical devices often have long lifespans, making them difficult to secure. Introducing runtime software protections helps defend the entire healthcare ecosystem, increase resilience against emerging threats, and secure devices throughout their lifespans.
Looking Ahead
While patching is an important part of medical device security, it doesn’t have to be as onerous of a process as it is today. By considering proactive security solutions, medical device manufacturers can complement the patching process, be better equipped to meet existing and new compliance requirements, deliver devices that are more resilient to attack, and ultimately protect the patients and healthcare providers who rely on their devices.
About Joseph M. Saunders
Joseph M. Saunders is the founder and CEO of RunSafe Security, a pioneer of cyberhardening technology for embedded systems deployed across critical infrastructure. He leads a team of former U.S. government cybersecurity specialists who know how attackers think about problems, how they weaponize attacks and how they choose targets.
A 25-year veteran of many leadership roles, Joe is on a personal mission to transform cybersecurity by challenging outdated assumptions and disrupting the economics that motivate hackers to attack.