Medical device manufacturers grappling with a multitude of cybersecurity issues await final direction from the federal government on better protecting patients and managing risk.
The comment deadline is March 18 for the Food and Drug Administration’s draft premarket cybersecurity guidance. The proposed guidance provides updated recommendations for device manufacturers on how they can better protect their products from risks like ransomware or a catastrophic attack on a health system.
“The real challenge is we talk about medical devices as if they were one thing, like they were chairs before us and they all serve the same function when indeed there’s thousands of functions, hundreds and thousands of different makes and models of devices. So it creates a very unknowable kind of framework,” Phil Englert, Deloitte global leader for health-care technology, told a recent cybersecurity conference.
Defining and crafting the proposed guidance brought comments from companies including Becton, Dickinson & Co., GE Healthcare, and MedCrypt. All acknowledge the need for guidance and shared responsibility, including bringing in security researchers—hackers—to reveal vulnerabilities.
“As medical devices become increasingly connected to networks, security risks move beyond the device to intrusions across the digital network ecosystem. Therefore, we believe that cybersecurity in the healthcare setting is a shared responsibility among all stakeholders, including medical device manufacturers, system integrators, product owners/users and patients,” GE said.
Security vulnerabilities in health care can have deadly results. A data breach at a non-federal acute-care inpatient hospital was linked to an additional 34 to 45 deaths per 1,000 heart attack patient discharges per year, a Vanderbilt University study concluded.
Health care’s diverse universe of devices and systems—and reluctance to reinvest after spending millions of dollars on equipment—makes it especially appealing for attack. Add to that a rich source of information for bad actors, and health care is really tempting, Chris Duvall, a senior director of the security and risk advisory firm the Chertoff Group, told Bloomberg Law.
“From a bad guy’s point of view, the health sector is a nice sweet spot because you have all the personal information that you might get from a financial hack: insurance, name, and serial number. You have potentially a lot of the information from a retailer—folks paid with credit card information for medical tests or whatever,” Duvall said.
Risks are compounded by health care’s diverse supply chain, especially medical devices with legacy components such as software.
“Honestly I think supply chain is one of the biggest vectors that we will see, and it’s like the autobahn of criminal activities because you’ve got this trusted network into an environment,” said Mark Sangster, chief security strategist at eSentire Inc. The company specializes in managing and detecting cyber threats.
“The problem with supply chain is that they’re a trusted vendor, and we just assume they’re OK,” Sangster told Bloomberg Law.
The FDA’s proposed guidance wrestles with defining such baseline issues as patient harm, defined as physical injury or damage to the health of patients, including death.
The definition is incorporated into the two categories FDA has for cyberrisk in medical devices.
Tier 1 consists of implantable devices connected to another medical or non-medical product, a network, or the Internet, whether wired or wireless. Tier 2 contains the connected devices that don’t meet the Tier 1 criteria but send or maintain a person’s protected health data. MRI machines or portable cardio rhythm monitors fit in that category.
“I can’t think of vulnerability that would not affect patient safety, even if it’s rated at the lowest,” David Nathans, Siemens Healthcare product security manager, told the recent RSA data security conference in San Francisco. “If there’s an ability to exploit a vulnerability, then you have the ability to affect patient safety.”
Manufacturers need to figure out how to have a device that’s resilient to a cyberattack and give the user the ability to assess the risk, Nathans said.
Becton Dickinson suggested creating a tierless system to “promote implementation of equal security measures for all types of devices.”
MedCrypt, a medical device-centered cybersecurity company, agreed. “Create a single tier of requirements, and if a device vendor cannot meet due to device limitations, then a risk based assessment to justify divergence must be submitted during a pre-submission meeting.”
Tap a Hacker
The FDA should recommend device manufacturers devise a process to accept, digest, process, and address vulnerabilities that independent security researchers find before the device reaches the market, HackerOne, a San Francisco-based security testing firm that uses hackers to find vulnerabilities and test systems, told the agency.
“If all of these processes aren’t ready by the time a medical device is the market, there will be delays in implementing fixes to the bugs, increasing the likelihood of a bad actor discovering them,” Deborah Chang, HackerOne vice president of business development and policy, wrote.
GE endorsed bringing security researchers into the conversation.