Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 1 of 3)
The Inherent Risks, Impacts of Security Decisions, and Practical Approaches– Navigating the Medical Device Field and Vulnerabilities of Medical Devices
October was National Cyber Security Awareness Month, which is part of an annual campaign to raise awareness about the importance of cybersecurity and educate both the public and private sectors about maintaining safety in our interconnected world. Each week in October, the National Cyber Security Alliance, in partnership with the Department of Homeland Security, releases a series of tips focused on helping people protect their online activities and increasing cybersecurity awareness. Each week focuses on a specific cybersecurity theme targeted towards cybersecurity activities relevant to government, industry, and individual citizens.
Following up on some of the issues raised, we will explore in a series of three blog posts: (1) the specific vulnerabilities and risks inherent with embedded and interconnected medical devices, (2) cybersecurity and attacks on medical devices, and (3) practical approaches companies may employ both before and after a device is marketed. This first post in the series serves as an introduction to navigating the medical device field and the specific vulnerabilities and risks inherent with embedded and interconnected medical devices.
Introduction
In today’s modern society, recent technological advances have resulted in transformations in health care delivery, which improve health care and increase the ability of health care providers to treat patients. For example, wireless medical devices such as pacemakers are being implanted in patients, accompanied by software which allows the health care provider to receive and transmit information directly to the device from a remote location. But these devices aren’t without risk. As these medical devices become increasingly interconnected with other clinical systems, they become more vulnerable to both intentional and unintentional misuse, as well as cybersecurity attacks.
The term “cybersecurity” is used to cover a broad spectrum of context-specific adversarial challenges.[i] “Cybersecurity entails the safeguarding of computer networks and the information they contain from penetration and from malicious damage or disruption”.[ii]
While fictional, the popular television show “Homeland” portrayed a medical device cybersecurity hack, in which hackers remotely disabled the Vice President’s pacemaker, killing him. But the fear of medical device hacking by terrorists took a real-life turn for former Vice President Dick Cheney, who had his doctors disable his pacemaker’s wireless capabilities when it was implanted in 2007, to prevent against a possible assassination attempt. The once seemingly futuristic exploit of implanted medical devices is no longer science fiction, and has been successfully demonstrated in devices such as the insulin pump and pacemakers. And while the risk that medical devices carry of being vulnerable to cybersecurity attacks cannot be completely eliminated, it can, and should, be managed.
Navigating the medical device field
The safety, effectiveness, and security of medical devices is regulated by the Food and Drug Administration (“FDA”), among other regulatory bodies. These regulatory bodies have acknowledged the seriousness and enormity of the problem of medical device cybersecurity by publishing recommendations for managing cybersecurity risks and protecting patient health information, to assist manufacturers in their submissions for FDA approval of medical devices. But who has an equal, if not greater responsibility for maintaining device functionality, integrity and confidentiality of information, patient privacy, and device and information availability, to prevent adverse effect on patient safety? Such a responsibility is shared equally by manufacturers, health care providers, and patients.
So, what exactly is a “medical device?” Just as the technology available in our networked and mobile world progresses, so does the fluid definition of “medical device.” The FDA (comprehensively) defines a medical device as:
“an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
(1) recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
(2) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
(3) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”[iii]
While the definition may appear almost too all-encompassing to the unfamiliar or untrained eye, the definition is inclusive of the ten to fifteen million (and growing) medical devices within United States hospitals. It includes, for example, an infusion pump attached to a hospital bed, yet excludes health and wellness applications that run on mobile devices.
Vulnerabilities of medical devices
A vulnerability in a medical device is a weakness within that device, which may be exploited in the device’s information system, system security procedures, and internal controls, or may be exploited through implementation. A threat is the potential for a vulnerability to be exploited, the existence of which is determined by taking the likelihood of the threat actually occurring, juxtaposed with the severity of any potential adverse impact.[iv] The term “exploited” means that a vulnerability or vulnerabilities have been exercised or exposed either accidentally or intentionally, potentially impacting the essential clinical performance of a medical device or the system to which that medical device is connected or networked.[v] However, a vulnerability is not the same as a breach, inasmuch as a breach is the actual disclosure of financial or protected health information (“PHI”) to a third-party unauthorized user.
The increased use of wireless network connectivity and connection of devices to the Internet, coupled with the desire to make use of the information collected on a medical device in other health systems, has made medical devices more open, and subsequently more vulnerable, to cybersecurity threats. The FDA has become aware and warned of potential cybersecurity vulnerabilities and incidents that may have a direct impact on medical devices through hospital network operations, which include: networked medical devices being infected and/or disabled by malware; the use of wireless technology (i.e., cell phones, tablets, hospital computers, etc.) to access patient data, monitoring systems and implanted patient devices; uncontrolled distribution of passwords for privileged device access; failure to provide timely security software updates and patches to address vulnerabilities in older medical devices and networks; and security vulnerabilities in off-the-shelf-software that are not preventing unauthorized device or network access (i.e., use of plain text code, lack of authentication, hard-coded passwords, poor coding, etc.).[vi]
Medical devices are vulnerable to attacks for a myriad of reasons. One reason is that unauthorized third parties or hackers are provided information that may allow them to compromise a medical device via public information provided by certification agencies, device manuals and patent databases. A second reason is that not all operating systems are compatible with one another, which leads to misconfiguration and vulnerabilities through gaps in security. Attacks may also involve medical devices that are already compromised, which can be used to attack other health care organization networks. Having less encryption on the medical devices, while beneficial for emergency access, also presents opportunities for attacks. Other reasons include late or lack of software updates and/or basic security features to prevent tampering, as well as there being a lack of knowledge, awareness, and education on cybersecurity issues and best practices.[vii]
For more on cybersecurity and attacks on medical devices, and best practices to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks) stay tuned for parts two and three of this series, coming soon.
[i] Dan Craigen, Nadia Diakun-Thibault, Randy Purse, Defining Cybersecurity, Technology Innovation Management Review, 2014; at 13–21.
[ii] James A. Lewis, Cybersecurity and Critical Infrastructure Protection, Center for Strategic and International Studies, 2006.
[iii] U.S. Food and Drug Administration, Is The Product A Medical Device?, September 12, 2014.
[iv] Patricia AH Williams, Andrew J Woodward, Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem, Med Devices (Auckl). 2015; 8: 305–316.
[v] U.S. Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices, Draft Guidance for Industry and Food and Drug Administration Staff, January 22, 2016.
[vi] Sonali P. Gunawardhana, The Impact Of Cybersecurity Vulnerabilities On Mobile Medical App Development, December 4, 2015.
[vii] Williams, Woodward, supra note 4.
Cybersecurity Check-Up: Always A Good Time To Prepare to Protect ...
All Claims Means ALL: The PREP Act Provides Immunity in COVID-19 Vaccination Case ...
About Drug / Device Law Blog
Baker Sterchi's Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Paul Penticuff, and our Drug and Device practice.
Subscribe via email
Subscribe to rss feeds
RSS FeedsABOUT baker sterchi blogs
Baker Sterchi Cowden & Rice LLC (Baker Sterchi) publishes this website as a service to our clients, colleagues and others, for informational purposes only. These materials are not intended to create an attorney-client relationship, and are not a substitute for sound legal advice. You should not base any action or lack of action on any information included in our website, without first seeking appropriate legal or other professional advice. If you contact us through our website or via email, no attorney-client relationship is created, and no confidential information should be transmitted. Communication with Baker Sterchi by e-mail or other transmissions over the Internet may not be secure, and you should not send confidential electronic messages that are not adequately encrypted.
The hiring of an attorney is an important decision, which should not be based solely on information appearing on our website. To the extent our website has provided links to other Internet resources, those links are not under our control, and we are not responsible for their content. We do our best to provide you current, accurate information; however, we cannot guarantee that this information is the most current, correct or complete. In addition, you should not take this information as a promise or indication of future results.
Disclaimer
The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Confidential information
Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.