Regulators Force Medical Device Manufacturers to Protect Against Cyberattacks

There is a fine line that connects the cars we drive and the medical devices we occasionally use. Both connect to the internet, and as such, are exposed to cyberattacks that could compromise consumers’ safety. These are not theoretical risks: Bluetooth vulnerabilities exposed millions of vehicle users to cyberattacks; a 19-year-old teenager remotely infiltrated 25 Tesla vehicles in 13 countries switching the engines on and off; Medtronic insulin pumps were hacked remotely by Whitehat researchers, and the FDA has recalled 500,000 Abbot pacemakers due to a security vulnerability that could have been used to drain their batteries. 

You may think that such consumers’ safety and brand risks would drive device and automotive manufacturers to proactively harden their devices and improve their security posture against cyber risks, but unfortunately it is not the case. The reason is that embedded IoT devices – which both categories are part of – carry significant volumes of legacy software and run on limited-power computing hardware. Both are costly to change. In addition, medical and automotive engineering organizations are not familiar with cybersecurity best practices and changing their suppliers’ processes is a tedious and costly effort. 

Luckily for us consumers, regulators have decided to take matters into their own hands.  UNECE, the United Nations’ Economic Commission for Europe, has initiated a regulatory effort that went into effect in July 2022. Under the regulation, manufacturer car and truck sales would be prohibited in the EU unless proven that their vehicle types underwent rigorous cybersecurity measures. Authoring and ratifying the regulation took a few years, as you may expect from a cumbersome multinational body, such as the UN.

Last December, the US Consolidated Appropriations Act, 2023 gave the Food and Drug Administration 90 days to come up with compulsory instructions imposed on medical device manufacturers to implement cybersecurity best practices as part of their software development lifecycle and lifelong support policies. Like the UN regulations, manufacturers who could not prove their compliance with the cybersecurity best practices would be blocked from selling their medical devices. 

There are similar public-safety principles in both regulations:

• Manufacturers must document and prove their vehicles or medical device cybersecurity posture
• A failure to prove such posture (i.e. putting customers at risk) would severely affect manufacturers’ business plans, as they are not allowed to sell their products until remediating the security gaps
• Manufacturers’ responsibility to their customers’ safety does not stop at product release. They must keep track of new vulnerabilities, as they are reported throughout the use of their products and be responsible to patch their devices in a timely manner against exploiting newly reported and critical vulnerabilities. 

OEMs – large and small – are seeking help to meet the new demands and offload cybersecurity tasks to external parties that enable them to make the necessary audits and changes without interfering with their R&D organizations, supply chain and embedded device architectures. Putting commercial benefits aside, it is reassuring that automotive and medical manufacturers are placing customers’ cyber-safety at the top of their priority list, to ensure that their products will live up to their mission of making consumers’ lives better and safer.  

About David Barzilai

David Barzilai is the VP of Sales and Marketing at Karamba Security. He is a serial entrepreneur with go-to-market executive experience and a track record of major increases of shareholders value. David serves as Karamba Security’s Executive Chairman and runs the company’s go-to-market strategy.

medical
device
hardware
devices
iot
software
regulation
fda
sell