Plamena Entcheva-Dimitrov, PhD, RAC, founder of Preferred Regulatory Consulting, and Joseph Madden, vice president of sales at Nova Leah, discuss medical device cybersecurity in the United States.
Security experts say “no” and explain that the Internet was conceived and developed for ease of use, for collusion, for moving large data, but security was an afterthought. The FBI says 90% of US businesses are susceptible to a cyber attack. This is shocking! But what is worse, is that life-saving and life-supporting medical devices or even entire healthcare networks can be the target (willingly or coincidentally) of these attacks that endanger innocent lives.
As medical devices rely more on network connectivity to perform their basic functions or interact with other devices, smartphones host medical applications, and algorithms are stored in the cloud, medical devices are increasingly vulnerable to cyber attacks. Medical devices are also a gateway to hospital networks that store sensitive patient data, exacerbating the problem and intensifying the need to strengthen cybersecurity systems for medical devices.
For more than 20 years, industry groups along with FDA experts have been working to strengthen the cybersecurity of medical devices. Other agencies, such as FCC, FBI, CISA, NIST are also stakeholders in an increasingly complex healthcare system. A range of events, including hacked insulin pumps, stolen personal health records and industrial espionage, are becoming mainstream in the press. These cyberattacks are possible through connected medical devices in the hospital, home or public networks.
What is a cyber attack?
A cyber attack is an attempt to gain unauthorized access to a computer or computer network. No one is immune and medical technology is one of the most prominent targets. The average cost of a cybersecurity incident in the healthcare industry in 2022 was $10.1 million. The costs are far greater than just monetary costs, of the hospitals that experienced a cyber security incident, 20% said they saw an increase in death rates during the attack.
Various results of a cyber attack:
- Denial or destruction of your network services
- Theft or destruction of critical information
- Physical damage to the infrastructure
In the medical field, there are several areas of vulnerability:
- attack on medical devices or healthcare systems, which threatens lives: life-support and life-sustaining devices are modified or disabled, networks are brought to their knees by disabling key functions or causing disruptions.
- attack on medical devices or healthcare systems, resulting in loss, damage, compromise of personal health information, loss of privacy.
Any of these can affect our healthcare, hospital and home medical devices such as ventilators, pacemakers, operating room equipment, infusion pumps, ICU monitoring system, glucose meters, dialysis machines and many more ! Thus, FDA views cybersecurity as a critical safety issue. New submissions must now demonstrate reasonable assurance that medical devices are protected from cyberattacks. This guarantee is obtained by testing in variable environments, using wired or wireless connection and using different tools.
Some high-profile cases of cyber security attacks include:
- Hacked insulin pump in 2012, when the patient hacked his own pump to highlight the device’s vulnerability and discovered a larger problem with Medtronic insulin pumps.
- Ransomware affecting radiation therapy for more than 200,000 cancer patients
- In 2021, Armis reported nine critical vulnerabilities in its pneumatic tube system used in 3000 hospitals worldwide. The vulnerabilities could allow attackers to take control of the workstation and launch ransomware attacks
- Vulnerable pacemakers and implanted defibrillators
- Protected health information of 1.4 million patients potentially compromised in Georgia ransomware attack
As seen from the examples, the risks of malicious cyber attacks on medical devices and healthcare infrastructure are a matter of life and death. Therefore, it is critical that manufacturers and healthcare providers in general conduct adequate risk analysis and mitigate those risks in anticipation of a cyber attack. Cybersecurity risk analysis was first introduced by the FDA in 2014, Guidance Content of Premarket Submissions for Medical Device Cybersecurity Management. As more medical devices are connected to networks, the need to conduct cybersecurity risk analysis and mitigation has become more critical, leading to the issuance of new draft guidance from the FDA in 2022. Cybersecurity in medical devices: considerations on the quality system and content of premarket submissions.
Recent changes in the law
Medical devices are subject to the Food, Drug, and Cosmetic Act (FD&C, 21 USC 351 et seq.). Recently, Congress, through the passage of Omnibus legislation, (HR 2617, Section 3305) amended the FD&C Act, adding a new Section 524B., Ensuring Cyber Security of Devices. This section codifies new cybersecurity requirements for medical device manufacturers. The requirements apply to all types of medical device marketing communications: 510(k)s, new, and PMAs. [submission under section 510(k), 513, 515(c), 515(f), or 520(m)].
The updated requirements are as follows:
1. Plan to monitor, identify and address, as appropriate, in a reasonable time, post-marketing cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
2. Design, develop and maintain processes and procedures to provide reasonable assurance that the device and related systems are cyber-secure, and make available post-market updates and patches to the device and related systems to address:
- in a reasonably justified regular cycle, known unacceptable vulnerabilities; i
- as soon as possible out of cycle, critical vulnerabilities that could lead to uncontrolled risks.
3. Provide a software bill of materials, including commercial, open source, and commercial software components.
4. Comply with other applicable requirements to demonstrate reasonable assurance that the device and related systems are cyber-secure.
Important dates to note
The effective date of the new requirements is 90 days after the bill is passed, i.e. March 29, 2023.
The changes to the FD&C Act introduced in the Omnibus Act of 2022 (HR 2617, Section 3305) will lead to the updating of certain final and draft FDA guidance documents so that manufacturers of cyber devices (defined in HR 2617, Section 3305) should be on the lookout for those. In the meantime, manufacturers of cyber devices are encouraged to familiarize themselves with the requirements of the amended FD&C Act.
As stated in Section 3305, within two years of the enactment of the new law, the Secretary of HHS (although the FDA) and the Director of the Cybersecurity and infrastructures (CISA) will update the information requirements to be included in submissions for cyber security. devices
Within 180 days, on June 22, 2023, the FDA must provide the public with information on improving device cybersecurity, including identifying and addressing cyber vulnerabilities in healthcare providers medical, health systems and device manufacturers.
Within one year of the enactment of this Act, the Comptroller General must publish a report identifying cybersecurity challenges for devices, including legacy devices that may not support certain software security updates.
Medical devices are becoming increasingly sophisticated and increasingly dependent on network connectivity. The risks of cyber attacks on or through these sophisticated devices have increased exponentially and are often a gateway to hospital networks that store sensitive patient data, exacerbating the problem and intensifying the need to harden systems of cybersecurity for medical devices. These cybersecurity vulnerabilities create risks and expose sensitive patient data that ultimately lead to adverse patient outcomes, serious injury, or in some cases, death. Assessing and mitigating medical device cyber risks has become an important part of the design and development of connected medical device technologies and detailed documentation must be (i) prepared from the start of each project, (ii ) included in FDA submissions and (iii) maintained after marketing.
In today’s technology-savvy world, cybercrime is increasingly becoming an issue of concern. Medical devices are particularly vulnerable to malicious exploitation due to their capacity to store and process sensitive patient data. While manufacturers continually strive to ensure that the safety and security of medical devices remain uncompromised, the question remains: Are medical devices kept secure from cyber criminals?
Fortunately, most manufacturers and healthcare organizations are increasingly recognizing the importance of taking extensive measures to protect medical devices from cyber attacks. These measures often include detailed security procedures and protocols, redesigned operating systems and hardware architectures, and the addition of multi-level authentication and control mechanisms.
At Ikaroa, we believe that manufacturers should focus not only on developing products with secure hardware but also on making them intuitive, user-friendly, and even mobile-enabled. This includes creating mobile software and applications which, when securely integrated into the medical devices themselves, can successfully keep those medical devices shielded from malicious activities.
Another important measure to consider is the use of government standards and regulations. For example, the U.S. Food and Drug Administration (FDA) is developing guidelines for cybersecurity to ensure that healthcare providers and manufacturers adequately protect their medical devices against cyber risks. By adhering to these government standards, manufacturers can ensure that their medical devices are not only safe and secure but also compliant with relevant regulations.
In conclusion, medical devices must be kept secure from cyber criminals in order to protect confidential data and uphold patient safety standards. Manufacturers should continue to update and improve their products’ cyber-security features and adhere to government standards and regulations. Through these measures and initiatives, cyber criminals may be less likely to exploit medical devices and misuse the data they can access. At Ikaroa, we believe that only by achieving this balance between efficiency and security will medical devices become secure enough to keep confidential medical information safe.