Addressing Medical Device Security

"We are aware of hundreds of medical devices that have been infected by malware,” noted a senior official at the U.S. Food and Drug Administration. Though there have not been any reported injuries or deaths, it’s a sobering statement nonetheless.

More than half the medical devices sold in America rely on software, and 10-million-plus Americans use life-saving medical devices such as pacemakers and infusion pumps. If devices like these – that send and receive information via a wireless connection – could be tampered with, it could mean disaster for patients. In fact, in 2007 doctors modified the heart defibrillator of then Vice President Dick Cheney for fear of a potential cyberattack.

The profit for the bad actors is in selling patient data on the black market. But there’s a real fear that hackers will blackmail hospitals using ransomware. There were notable cases where the FDA advised hospitals to stop using a certain infusion pump due to the potential remote access by unauthorized users who could tamper with the dosage. Another case involved a VA hospital that closed temporarily because malware had infected computer systems for procedures to open patients’ blocked arteries after heart attacks.

Regarding manufacturers, there were reports in August 2016 of cyber vulnerabilities in pacemakers and defibrillators produced by St. Jude Medical. In October 2016, Johnson & Johnson issued a cybersecurity warning — the first of its kind — about its Animas OneTouch Ping insulin infusion pump. While patient risk is low, hackers could use an unencrypted radio frequency to take control of the pump.

What set the stage for the mounting threats is increased sophistication and integration among medical devices, along with the push for the widespread use of electronic medical records. This question is, is there anyone doing anything about the security threats? Thankfully, the answer is yes.

Concerned Groups

A variety of public and private organizations have jumped into the fray.

The Archimedes Research Center for Medical Device Security at the University of Michigan brings together medical and computer science experts to research methods for improving medical device security and helping manufacturers implement solutions.

“I Am the Cavalry” is a global grassroots organization that focuses on issues where computer security intersects public safety and human life. It strives to help medical device manufacturers and health care providers secure their equipment. 

The Center for Internet Security; the Medical Device Innovation, Safety and Security Consortium; and the National Cybersecurity Center of Excellence are also developing benchmarks and best practices in this area. Tips for medical device manufacturers from the aforementioned groups include:

• Segregate certain key devices from the organization’s network.
• Add the necessary firewalls.
• Conduct periodic penetration testing.
• Develop a plan for patches and updates.
• Implement stronger authentication for system administrators.
• Encrypt data. 
• Devise quicker detection and action plans.
• Create a transparent system for patient notifications.

There are some concerns that this could lead to a potentially slower, more conservative approach to innovation as well as possible friction between hospitals and manufacturers over which is responsible for certain costs. However, the cost for doing little or nothing could be considerably higher.

The Government

In 2013, President Obama issued Executive Order 13636, which covered critical infrastructure protection. The following year, the National Institute of Standards and Technology (“NIST”) released a voluntary framework and benchmarks for improving critical infrastructure. In 2015, the FBI issued recommendations to combat security risks surrounding the Internet of Things.

Under the Obama administration, the President's Office of Science and Technology Policy and then White House Cybersecurity Czar Michael Daniel had also weighed in on the issue. It was suggested that Medicare/Medicaid use its reimbursement policies to incentivize the purchasing of more secure products; however, this has yet to gain real traction. 

FDA

In 2014, the U.S Food and Drug Administration issued recommendations to manufacturers about proactively considering cybersecurity in the design of their products and submitting plans for patching and updating those systems. In 2016, the FDA drafted voluntary guidance for medical device manufacturers:

• Apply the 2014 NIST framework for improving critical infrastructure cybersecurity, which includes the core principles of identify, protect, detect, respond and recover.
• Monitor cybersecurity information sources to identify and detect cybersecurity vulnerabilities.
• Understand, assess and detect the presence and impact of vulnerability.
• Establish and communicate processes for addressing vulnerability.
• Define essential clinical performance to develop mitigations that protect against, respond to and recover from the cybersecurity risk.
• Adopt a vulnerability disclosure policy.
• Employ solutions that address cybersecurity risk early and prior to exploitation.
• Share cybersecurity information via participation in the Information Sharing Analysis Organization.

In most cases, manufacturers will address cybersecurity vulnerabilities through routine updates or patches. In these instances, the FDA does not require advance notification, additional premarket review or reporting. However, where those cybersecurity vulnerabilities may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the FDA would require medical device manufacturers to notify the agency.

 Catalyst - Spring 2017

• Insurance for Life Sciences and Biotech Companies
• Addressing Medical Device Security