With rapid advances in medical technology, including an increasing number of wireless, Internet- and network-connected, interoperable medical devices, the Food and Drug Administration (FDA) has strongly encouraged all stakeholders, and in particular manufacturers, to take steps to ensure the cybersecurity of such devices. And, while the path to the fail-safe cybersecurity of these devices may be long and complex, the FDA and stakeholders have shown their commitment to achieving the optimal security sought by the FDA. This article discusses the FDA’s current cybersecurity guidance, the hurdles and challenges identified by stakeholders, and likely next steps for the FDA and the medical device community.
January 22, 2015 Articles
Bringing the Cyber War to the Medical Device Battleground
By Karen Woodward and Mary Beth Buckley
With the cyber attack on Sony Pictures, along with the ensuing publicity nightmare and public outrage calling for the release of the film The Interview, the end of 2014 saw a significant spike in interest over cybersecurity. The Sony hack brought cybersecurity to the pop culture forefront, and what better way to get America’s attention than to tap into the cult of celebrity?
Now that cyber terrorists truly have our attention, a far more sinister cyber threat merits display: the cybersecurity of interoperable medical devices. With advances in medical technology, more and more medical devices are now technologically linked to health information systems and, as a result, could conceivably be “hacked.” Intentional interference with implantable medical devices is far from fictional. Several years ago, former Vice President Dick Cheney decided to disable his pacemaker’s wireless capabilities in order to thwart any would-be assassination efforts. See, e.g., Andrea Peterson, “Yes, Terrorists Could Have Hacked Dick Cheney’s Heart,” Wash. Post, Oct. 21, 2013. Thankfully, to date there have been no reported cases of known, intentional interference with connected, implantable medical devices. Nonetheless, the FDA, Department of Homeland Security (DHS), medical device manufacturers, and the broader medical community are continuing to work together to prevent these types of breaches from occurring and to minimize the potential for serious injury in the event of a successful breach. The recent efforts of stakeholders on this issue are timely indeed.
The FDA Guidance
The cybersecurity of medical devices is hardly a new concern to the FDA, but its attention to the issue was paramount this year, culminating this past fall in the issuance of its final guidance entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. While the FDA acknowledges that medical device security is necessarily a shared responsibility among health care facilities, patients, providers, and manufacturers, the cybersecurity guidance focuses on manufacturers’ responsibility to consider cybersecurity issues in the design, development, and premarket submission processes. The guidance is broken down into two primary categories: (1) identify and protect; and (2) detect, respond, and recover.
The first prong—identify and protect—initially involves the identification of the nature and likelihood of potential cybersecurity risks—an exercise that will necessarily be dependent on the nature of the device and that should take into account, inter alia, the extent of the device’s electronic data interfaces, vulnerabilities, and risk of patient harm. Once risks have been identified, the FDA recommends, device manufacturers should consider designing devices such that access to the devices is limited to trusted users (using, for example, password, smart card, or biometric authentication) and that data can be transferred only to and from entrusted sources. Selected security measures, the FDA cautions, balance the need for security in light of the perceived risks against its impact on the usability of the device, ensuring that security controls are manageable for the device’s intended users. The FDA recommends that premarket submissions for all devices capable of connecting to another device include justification for the security functions chosen.
The second prong—detect, respond, and recover—focuses on the ability of devices to (a) detect and recognize security compromises in real time, (b) inform and advise end users of the compromise and how to respond, (c) safeguard critical functionality of the device, and (d) provide methods for retention and recovery of device configuration.
The FDA suggests that premarket submissions include the following:
- hazard analysis, mitigation, and design considerations
- a traceability matrix that links the selected controls to the identified cybersecurity risks
- a summary of plan for providing software updates and patches throughout the lifecycle of the device
- a summary of controls to ensure that the devices will remain free of malware from the point of origin to the point at which the control leaves the manufacturer’s control
- instructions and product specifications for cybersecurity controls appropriate for the intended use environment
While the FDA’s cybersecurity guidance is nonbinding, its recommendations will undoubtedly serve as the benchmark for premarket submissions going forward. Cybersecurity concerns have been on the radar of many sophisticated medical device manufacturers for some time, and such companies should have little trouble implementing the FDA’s cybersecurity guidance in future FDA premarket submissions. Other, less sophisticated device manufacturers, however, may be required to seek outside expertise in making sure that the FDA’s concerns are addressed and articulated in premarket submissions.
Stakeholders Weigh In
Several weeks after the issuance of the cybersecurity guidance, on October 21–22, 2014, the FDA sponsored a two-day public workshop entitled Collaborative Approaches for Medical Device and Healthcare Cybersecurity (webpage containing links to all workshop presentations). This workshop was extremely well received by stakeholders—220 representatives from the FDA and other government agencies, device manufacturers, hospitals, providers, trade organizations, information technology security firms, biomedical engineering and technology firms, cybersecurity firms, and academic institutions attended the live workshop, while over 800 additional representatives participated via webcast.
One of the more vexing topics raised at the workshop was the need to balance the increasing desire of the medical community for interoperable medical devices, or IMDs (i.e., the ability of data to be shared across medical devices and systems) with the complex cybersecurity challenges that interoperability creates. On the one hand, health care providers are increasingly advocating for medical device interoperability as a means to both improve patient outcomes and significantly reduce health care costs. A March 2013 study conducted by West Health Institute, The Value of Medical Device Interoperability: Improving Patient Care with More Than $30 Billion in Annual Health Care Savings, concluded that improved medical device interoperability could yield savings of up to $30 billion a year, resulting from, inter alia, the avoidance of adverse outcomes, elimination or reduction of redundant testing, and reduction in clinical time spent entering and assessing patient information. Health care providers at the FDA workshop echoed this sentiment, noting that efficiencies and savings gained from interoperability are compelling and that “interoperability is coming.” See also Venkatasubramanian et al., Security and Interoperable Medical Device Systems: Part 1 (2013) (“stakeholders…are recognizing that the future lies in building genuine interoperability”).
On the other hand, interoperability raises unique cybersecurity challenges. Truly useful interoperability, providers assert, requires the sharing of information between different devices made by different manufacturers, transmitted across multiple platforms. More interoperable devices and platforms, however, mean that devices and platforms become increasingly dependent on one another and that vulnerability at any point in the process may render otherwise be “safe” devices in stand-alone mode increasingly vulnerable to cyber threats.
Stakeholders at the FDA workshop were optimistic that, although the challenges are significant, a balance between interoperability and cybersecurity is achievable. Speakers emphasized that that devices and platforms that are designed with interoperability in mind are critical to achieving this goal. Also critical to achieving this goal is updating or patching software on “legacy” devices (i.e., devices not designed with interoperability in mind).
Cybersecurity Vulnerabilities under Investigation by the DHS
While there are no confirmed instances to date of intentional cyber attacks on medical devices, it was recently reported that the DHS’s Industrial Control Systems Cyber Emergency Response Team is currently investigating about two dozen cases of medical device vulnerabilities that the DHS believes are particularly vulnerable to exploitation by hackers. The products at issue include pain infusion pumps, implantable heart devices, imaging equipment, and hospital networking systems. The DHS is working with device manufacturers and hospitals to identify and repair these vulnerabilities. A DHS official noted that the probe should not be viewed as an indication that these entities have done anything wrong and that the DHS is merely working with the entities to make sure that the perceived vulnerabilities are rectified. (See Jim Finkle, “U.S. Government Probes Medical Devices for Possible Cyber Flaws,” Reuters, Oct. 22, 2014).
Conclusion
It is likely that device manufacturers and other medical device stakeholders will be hearing much more from the FDA on the subject of medical device interoperability and cybersecurity in the months and years to come. The FDA has solicited and received comments from stakeholders on a number of follow-up questions from the workshop, including how best to encourage collaboration, innovation, and optimal cybersecurity in both the public and private sectors. (As of this writing, the FDA has not made these comments publicly available.) It will be interesting to see what the FDA demands of premarket submissions going forward and whether the FDA’s cybersecurity guidance will act as a barrier to market entry for new devices. Hopefully, the good work being done on this front will continue to keep cyber terrorists out of the medical device battleground for the foreseeable future.
Keywords: mass torts litigation, cybersecurity, medical device, hacking, FDA, DHS
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).