By Sonali P. Gunawardhana, Wiley Rein, LLP
If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We often hear about large retailers victimized by a data breach that affects tens of millions of consumers, whose personal financial information is stolen. But these threats extend beyond personal financial data.
We also hear about breaches in military weapons systems, which can affect our national security. We may feel a bit removed from these types of breaches, but we trust that measures are being put into place by our government and military to safeguard us from possible threats and direct attacks.
In contrast, healthcare is not often thought of as an area threatened by cybersecurity attacks, but the amount of potentially accessible personal health data is vast and complex, and that wealth of data promises to grow as innovators create new health-focused products, services, and applications. In a recent studyi, 94 percent of healthcare institutions reported being victims of cyber-attacks. Some of these attacks may seek financial or intellectual property gains, while others may seek to damage an institution’s or an individual’s reputation, or to make a political statement — there is a slew of opportunities for hackers.
Additionally, cybersecurity threats targeting computer-connected medical devices carry the threat of bodily harm to patients, if those security breaches impact the safety and effectiveness of the devices. This vulnerability continually increases as medical devices become more connected to hospitals, insurance providers, and to other medical devices. In fact, an increase in cyberattacks on medical devices has been noted by the U.S. Department of Homeland Security (DHS).ii Although these attacks have been primarily associated with disruption due to malicious programs and viruses, and have not directly affected patient safety, policymakers see a threat that needs to be addressed.iii
FDA Attempts To Regulate Medical Device Cybersecurity
The U.S. Food and Drug Administration (FDA) has attempted to mitigate the risk of future medical device-related cybersecurity threats in various ways. In June 2013, FDA issued a safety communication entitled Cybersecurity for Medical Devices and Hospital Networks,iv in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack. The safety communication summarized FDA’s awareness of the problem and its scope, and made recommendations on how to implement appropriate cybersecurity measures for vulnerable medical devices, based upon the devices’ various platforms for connection and their individual software programs.
At the time of this safety communication, FDA reported that it was unaware of any patient injuries or deaths associated with hacking incidents, but the agency stated there was a need to address possible vulnerabilities, as the risk was potentially serious. FDA outlined some of these specific cybersecurity threats in that communication:
- Network-connected/configured medical devices infected or disable by malware
- Malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted devices
- Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., by administrative, technical, and maintenance personnel)
- Failure to provide timely security software updates and patches to medical device and networks, and failure to address related vulnerabilities in older medical device models (legacy devices)
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.v
In response to these threats, FDA made broad recommendations to industry that could loosely be deemed as best practices. For medical device manufacturers, the recommendations directly addressed the need for appropriate oversight of individual devices, by the manufacturer, throughout the product lifecycle, from design through postmarket surveillance:
- Take steps to limit device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
- Appropriate security controls may include user authentication (for example, user ID and password, smartcard or biometric); strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code. Note that FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised.
- Cybersecurity incidents are increasingly likely, and manufacturers should consider incident response plans that address the possibility of degraded operation, as well as efficient restoration and recovery.vi
In terms of preventative action for health care facilities, FDA suggested the following actions:
- Restrict unauthorized access to the network and networked medical devices.
- Make certain that appropriate antivirus software and firewalls are up-to-date.
- Monitor network activity for unauthorized use.
- Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
- Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) may be able to assist in vulnerability reporting and resolution.
- Develop and evaluate strategies to maintain critical functionality during adverse conditions.vii
As patient access to data and personalized care continues to be enhanced by connected medical devices, the threat of cybersecurity vulnerabilities also grows. Just two years after its initial cybersecurity safety communication, FDA issued in July 2015 an additional safety communicationviii regarding the cybersecurity vulnerabilities of a particular infusion pump’s legacy models. FDA, ICS-CERT and the pump manufacturer were made aware of the system’s cybersecurity vulnerabilities after an independent researcher confirmed that it could be accessed remotely through a hospital’s network.
Both the pump manufacturer and FDA proactively alerted customers to the system’s cybersecurity vulnerabilities, though there were no known instances of cybersecurity breaches involving the device in a clinical setting, nor was there unauthorized access to any hospital information system. Still, this scare showed that a more serious hack — such as that of a heart pacemaker, as depicted in the television series Homeland — could no longer be discounted as fiction. With increased healthcare accessibility and an increasing number of connected medical devices comes a greater threat of hacker-susceptible medical devices — particularly as an ever-growing segment of the U.S. patient population becomes reliant on these connected devices.
Where To Find Clear Guidance For Mobile Medical Apps
The threat also applies to mobile medical apps, as many of those are subject to FDA oversight, based on their intended use. Mobile medical apps are even more susceptible, given that they have become a favorite target of cyber-criminals. The abundance of health data being generated and collected by mobile devices and applications also raises significant privacy concerns, particularly when that information is outside of the scope of HIPAA and other federal statutes governing personal information.
Of course, the adoption of health IT applications, and their potential to improve care and even save lives, could falter if consumers and health care providers decide that the risks of use outweigh the benefits, making FDA’s cybersecurity recommendations all the more important.
Yet, the FDA has not specifically addressed mobile medical apps as a separate category of devices in terms of cyber security. I believe it’s because the agency considers the guidance provided thus far as applicable to mobile medical apps: Both medical devices’ and mobile medical apps’ guidance documents reference many of the same fundamental device regulations and standards. For example, requirements for verification and validation, design controls, general and special controls, and establishment registration and medical device listing exist for both medical devices and mobile apps.
Until something more specific to mobile medical apps is drafted, app developers are best off reviewing FDA’s guidance document Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff,ix which was issued in October 2014. The guidance provides design recommendations to consider, and information to include in FDA medical device premarket submissions for devices that contain software (including firmware) or programmable logic — as well as software that is considered a medical device — for effective cybersecurity management.
Additionally, the this guidance adopted terminology from the National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurityx to point industry to a framework that will assist device and app development uniformly.
About The Author
Sonali P. Gunawardhana is Of Counsel in Wiley Rein LLP’s FDA Practice. She draws on nearly 10 years’ experience as an attorney at the U.S. Food and Drug Administration (FDA) to offer clients detailed and practical guidance on how to avoid and resolve FDA regulatory challenges. Gunawardhana received her LL.M. from Washington College of Law, American University, and her J.D. from the University of New Hampshire School of Law. She also holds an M.P.H. from Boston University, an M.A. from Webster University, and a B.A. from Syracuse University.
- Filkins, B. SANS Institute. Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare On Horizon. Norse, February 2014
- Finkle, J. “U.S. Government Probes Medical Devices for Possible Cyber Flaws,” Reuters, October 22, 2014
- Finkle, J. “U.S. Government Probes Medical Devices for Possible Cyber Flaws,” Reuters, October 22, 2014