By Sonali P. Gunawardhana, Wiley Rein, LLP
If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We often hear about large retailers victimized by a data breach that affects tens of millions of consumers, whose personal financial information is stolen. But these threats extend beyond personal financial data.
We also hear about breaches in military weapons systems, which can affect our national security. We may feel a bit removed from these types of breaches, but we trust that measures are being put into place by our government and military to safeguard us from possible threats and direct attacks.
In contrast, healthcare is not often thought of as an area threatened by cybersecurity attacks, but the amount of potentially accessible personal health data is vast and complex, and that wealth of data promises to grow as innovators create new health-focused products, services, and applications. In a recent studyi, 94 percent of healthcare institutions reported being victims of cyber-attacks. Some of these attacks may seek financial or intellectual property gains, while others may seek to damage an institution’s or an individual’s reputation, or to make a political statement — there is a slew of opportunities for hackers.
Additionally, cybersecurity threats targeting computer-connected medical devices carry the threat of bodily harm to patients, if those security breaches impact the safety and effectiveness of the devices. This vulnerability continually increases as medical devices become more connected to hospitals, insurance providers, and to other medical devices. In fact, an increase in cyberattacks on medical devices has been noted by the U.S. Department of Homeland Security (DHS).ii Although these attacks have been primarily associated with disruption due to malicious programs and viruses, and have not directly affected patient safety, policymakers see a threat that needs to be addressed.iii
FDA Attempts To Regulate Medical Device Cybersecurity
The U.S. Food and Drug Administration (FDA) has attempted to mitigate the risk of future medical device-related cybersecurity threats in various ways. In June 2013, FDA issued a safety communication entitled Cybersecurity for Medical Devices and Hospital Networks,iv in which the FDA recommended that medical device manufacturers and healthcare facilities adopt appropriate safeguards to reduce the risk of device failure due to a cyberattack. The safety communication summarized FDA’s awareness of the problem and its scope, and made recommendations on how to implement appropriate cybersecurity measures for vulnerable medical devices, based upon the devices’ various platforms for connection and their individual software programs.
At the time of this safety communication, FDA reported that it was unaware of any patient injuries or deaths associated with hacking incidents, but the agency stated there was a need to address possible vulnerabilities, as the risk was potentially serious. FDA outlined some of these specific cybersecurity threats in that communication:
In response to these threats, FDA made broad recommendations to industry that could loosely be deemed as best practices. For medical device manufacturers, the recommendations directly addressed the need for appropriate oversight of individual devices, by the manufacturer, throughout the product lifecycle, from design through postmarket surveillance:
In terms of preventative action for health care facilities, FDA suggested the following actions:
As patient access to data and personalized care continues to be enhanced by connected medical devices, the threat of cybersecurity vulnerabilities also grows. Just two years after its initial cybersecurity safety communication, FDA issued in July 2015 an additional safety communicationviii regarding the cybersecurity vulnerabilities of a particular infusion pump’s legacy models. FDA, ICS-CERT and the pump manufacturer were made aware of the system’s cybersecurity vulnerabilities after an independent researcher confirmed that it could be accessed remotely through a hospital’s network.
Both the pump manufacturer and FDA proactively alerted customers to the system’s cybersecurity vulnerabilities, though there were no known instances of cybersecurity breaches involving the device in a clinical setting, nor was there unauthorized access to any hospital information system. Still, this scare showed that a more serious hack — such as that of a heart pacemaker, as depicted in the television series Homeland — could no longer be discounted as fiction. With increased healthcare accessibility and an increasing number of connected medical devices comes a greater threat of hacker-susceptible medical devices — particularly as an ever-growing segment of the U.S. patient population becomes reliant on these connected devices.
Where To Find Clear Guidance For Mobile Medical Apps
The threat also applies to mobile medical apps, as many of those are subject to FDA oversight, based on their intended use. Mobile medical apps are even more susceptible, given that they have become a favorite target of cyber-criminals. The abundance of health data being generated and collected by mobile devices and applications also raises significant privacy concerns, particularly when that information is outside of the scope of HIPAA and other federal statutes governing personal information.
Of course, the adoption of health IT applications, and their potential to improve care and even save lives, could falter if consumers and health care providers decide that the risks of use outweigh the benefits, making FDA’s cybersecurity recommendations all the more important.
Yet, the FDA has not specifically addressed mobile medical apps as a separate category of devices in terms of cyber security. I believe it’s because the agency considers the guidance provided thus far as applicable to mobile medical apps: Both medical devices’ and mobile medical apps’ guidance documents reference many of the same fundamental device regulations and standards. For example, requirements for verification and validation, design controls, general and special controls, and establishment registration and medical device listing exist for both medical devices and mobile apps.
Until something more specific to mobile medical apps is drafted, app developers are best off reviewing FDA’s guidance document Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff,ix which was issued in October 2014. The guidance provides design recommendations to consider, and information to include in FDA medical device premarket submissions for devices that contain software (including firmware) or programmable logic — as well as software that is considered a medical device — for effective cybersecurity management.
Additionally, the this guidance adopted terminology from the National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurityx to point industry to a framework that will assist device and app development uniformly.
About The Author
Sonali P. Gunawardhana is Of Counsel in Wiley Rein LLP’s FDA Practice. She draws on nearly 10 years’ experience as an attorney at the U.S. Food and Drug Administration (FDA) to offer clients detailed and practical guidance on how to avoid and resolve FDA regulatory challenges. Gunawardhana received her LL.M. from Washington College of Law, American University, and her J.D. from the University of New Hampshire School of Law. She also holds an M.P.H. from Boston University, an M.A. from Webster University, and a B.A. from Syracuse University.