With the continued push for interoperability and integration of EHRs into daily use, connected medical devices are quickly becoming more common tools for healthcare providers.
However, similar to the way computer networks and systems can become vulnerable to data security issues, medical device cybersecurity threats can be especially dangerous for covered entities.
Not only could a compromised medical device potentially allow an unauthorized user access to a healthcare provider’s network, it could put patient safety at risk. Any unauthorized adjustments made to certain devices, such as dosages in medication or how the device is properly operated, could be dangerous and life threatening to patients.
The Food and Drug Administration (FDA) monitors “reports of adverse events and other problems with medical devices” and has previously found potential cybersecurity issues in implantable cardiac devices.
Healthcare organizations need to better understand the potential dangers of unsecured medical devices and ensure that they adhere to federal regulations while also staying mindful of recent guidelines designed to assist in creating strong medical device cybersecurity.
FDA postmarket guidance and how it applies to healthcare
In December 2016, the FDA published the final version of its “Postmarket Management of Cybersecurity in Medical Devices,” which appeared previously in draft form in January 2016.
Medical device manufacturers are encouraged to consider potential cybersecurity risks and vulnerabilities “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device,” according to the FDA.
The report also highlighted collaboration and information sharing as necessary measures given the understanding that cybersecurity risk management is a shared responsibility among stakeholders. This includes medical device manufacturers, users, information technology (IT) system integrators, and health IT developers.
“Public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations (HDOs), the clinical user community, and the medical device community,” FDA advised in the finalized document.
The FDA guidance specifically applies to any marketed and distributed medical device, including devices containing software (e.g., firmware) or programmable logic. Also falling under the guidance is software that constitutes a medical device, including mobile apps. Investigational devices are not susceptible to the postmarket guidance.
For us to be able to identify and share those risks and vulnerabilities, that’s critical to solving the medical device cybersecurity problem.
The FDA guidance is a welcome gift and boon to providers, Intermountain Healthcare CISO and Assistant VP of Information Systems Karl West told HealthITSecurity.com.
“It really is a partnership between a provider and a medical device manufacturer,” West explained. “We take a device that they built, and we deploy it in our environment. This guidance gives us a better ability to work together to identify risks, threats, and any vulnerability between us.”
Having an open discussion is also critical, which is why the collaboration and information sharing aspect of the guidance is essential, West added.
“For us to be able to identify and share those risks and vulnerabilities, that’s critical to solving the medical device cybersecurity problem,” he noted. “We’re actually pleased with the guidance.”
However, West pointed out that it is still guidance and is therefore not binding, such as with federal regulations. The topic of cybersecurity is also not as specific as it could be, he observed.
“If you look at cybersecurity, which is the title of the document, this isn’t the breadth and the width of what we need to do to protect these devices,” West said. “Protecting against malware, breaches, ransomware, and DDoS attacks could all be affected through these devices.”
Overall, the guidance is a good first step, leaving room for more things to be accomplished in the future.
DigiCert VP of Healthcare Solutions Mike Nelson concurred that it is necessary to realize that the guidance must be taken as non-binding recommendations.
Even so, there are two important guiding principles in the guidance that various stakeholders in the industry should understand.
“First, it is a risk-based approach. It’s really to assess, to understand, and to mitigate the risks and then to allow the benefits of these devices to play out,” Nelson stated.
“The second guiding principle is that it is a shared responsibility among the different stakeholders,” he continued. “Those stakeholders could be patients, providers, medical device manufacturers, and even service providers like us. There are components of the document that are helpful and are moving the industry in the right direction, and then there are some gaps in areas where it could also be potentially made stronger.”
While the FDA guidance is specified toward device manufacturers and how they address premarket and postmarket lifecycle phases, there are also key takeaways for providers.
“At a high level, this is an area of high concern and high risk for provider organizations because of the volume of devices that we have,” Intermountain’s West explained. “The fact that they fall outside of traditional information security control, that means they’re not in a cybersecurity model that’s understood and well managed.”
These medical devices are complex, very different, and they come in from many sources. Then they might not be on a provider’s inventory.
Those issues and risks fall on the radar of all healthcare organizations and force entities to understand and try to put it all together, he continued.
“What concerns us are traditional end points, servers, and things like that,” he said. “We have good understanding and knowledge around that. These medical devices are complex, very different, and they come in from many sources. Then they might not be on a provider’s inventory.”
Medical devices provide great benefits to the healthcare community, added the DigiCert VP, but those same devices also come with risks.
Better patient outcomes, closer monitoring, being able to gather Big Data, and population health are all “solid benefits” that patients and the industry can gain.
“The risks are real and need to be treated seriously,” Nelson warned. “A lot of progress has been made in the last year, helping to make these devices that are providing critical care more secure.”
- How FDA Medical Device Cybersecurity Draft Affects Healthcare
- FDA Finds Potential Cybersecurity Issues in St. Jude Devices
The necessity of information sharing for medical device manufacturers
While FDA has stated that the guidance is focused on device manufacturers, its recommendations still apply to the healthcare providers, Russell Jones, partner in Deloitte’s Cyber Risk Services group, told HealthITSecurity.com.
“The guidance is really about, and focused on, what they’re expecting the device manufacturers to do to manage cyber risks related to their products — the medical devices,” Jones said.
One key focus area for the manufacturers, though, is that FDA makes clear its desire for manufacturers to participate in Information Sharing and Analysis Organizations (ISAOs). For those that do participate, incentives become available when they do end up having vulnerabilities with their medical devices that could impact patient safety.
For those device manufacturers that don’t, they’re not going to receive those same incentives, Jones stated. FDA is going to fully enforce existing reporting requirements related to those vulnerable medical devices.
FDA also laid out specifically how it defines participation, he noted. It is not enough for a manufacturer to write a check to any ISAO and claim to be participating.
FDA wants to see tangible evidence that it can process that data, and relate it back to the overall cybersecurity program, risk assessment process, and vulnerability remediation.
“First, they’ve got to deal with an information-sharing analysis organization that actually shares vulnerability and threat intelligence,” Jones explained. “The ISAO has to be in the business of sharing vulnerability information and threat intelligence related to these medical devices.”
The second requirement is that the ISAO must have documented policies that detailing its business model and plans to protect the information being shared by the manufacturers, which includes everything about the structure and governance plan in place for that ISAO.
“The third and fourth requirement is kind of logical. The manufacturer has to share their vulnerability information, however they come in possession of it,” Jones observed. “They also need to share threat intelligence and customer communications they may send out as a result.”
The manufacturer must also be able to process information shared from the ISAO to them. FDA wants to see tangible evidence that it can process that data, and relate it back to the overall cybersecurity program, risk assessment process, and vulnerability remediation.
“If you’re doing those four things as a manufacturer as it relates to an ISAO, then when you do end up having an uncontrolled vulnerability — under the FDA’s definition — with a connected medical device, then you have uncontrolled risk,” said Jones. “As long as you’re actively participating, then in many cases FDA will not enforce the reporting requirements (per 21-CFR-806) that normally you would have to follow for any kind of adverse event with the medical device.”
Jones noted though that in certain cases — for example, if an uncontrolled risk could actually impact patient safety or the essential performance of a device — then “all bets are off.”
- Why Collaboration is Key for FDA Medical Device Cybersecurity
- Will NAIC Cybersecurity Regulations Affect Healthcare Industry?
Timely responses to an ever-evolving threat landscape
Another key area discussed in the FDA guidance are software updates and device patching, according to Intel Security’s GM of IoT Security Solutions Lorie Wigle,
“For IoT devices in particular, especially since many of them have very long lives, patching and performing updates are going to be even more important than it is in other industries,” Wigle told HealthITSecurity.com.
Hackers are continuously evolving their methods and not just in the healthcare sector, she added. This is also why information sharing is going to be so essential in forming stronger security measures.
Using an Android operating system as an example, Wigle explained that sometimes a particular version of Android will have a vulnerability. Perhaps that weakness is first discovered in a completely different segment. But once that vulnerability is discovered, device manufacturers must have a mechanism to upgrade devices using that version.
“It's not just good enough to have the device secured when it's shipped out the door, but you need to be able to keep the security current, to address the things that are happening in the field and out in the wild,” she stated.
Healthcare is still learning about the threat environment and what is going to motivate people to attempt to compromise medical devices and other IoT devices, Wigle said. Information sharing is going to be very useful in that respect as well.
“If we're seeing a particular kind of attack where a particular protocol is being used, or there's a particular source of the anomaly, if we share that then we can take action to address it very quickly,” noted Wigle. “Being able to respond in a more timely fashion is a very positive outcome of information sharing.”
Further guidance and advice for stronger cybersecurity measures will also continue to evolve, Wigle maintained.
“Technology is going to continue to evolve and the usage for it will continue to evolve,” she said. “If that happens, and maybe we're connecting medical devices to something that we hadn't intended to before, there may be a new vector that needs to be addressed from that perspective.”
- Information Sharing Key in Improving Healthcare Cybersecurity
- ISAO SO Releases Cybersecurity Information Sharing Guidance
A need for regulatory requirements to further improve cybersecurity
Looking to the future, West emphasized the importance of actual regulations being implemented, those that go beyond the guidance.
Patient safety issues and data breach issues are significant threats, he stressed. The postmarket guidance could be misinterpreted as “here are guidelines you need to follow for cybersecurity.” There is almost little or no reference to all of the things beyond patient safety.
“If you talk about a breach, the attacks that can happen through these threat vectors, the ransomware attacks that could affect these implants, those all have to have same recognition,” West suggested. “That could happen between a connection between FDA guidance and HIPAA regulations.”
He noted that significant progress has been made though: discussions and meetings on the topic as well as reviews of roles and accountabilities.
“In this environment, the breadth and width of the problem is so daunting that we have to recognize that each of us has a critical role to play,” he said. “A patient can bring in a device, there is ambulatory care, acute care, and physician practices. These devices come in from so many different areas. As we go forward, in order to be successful, all of us have to recognize the critical role we play and cooperate to make this safe for patients and secure for patients’ data.”
Nelson agreed that a stronger position on medical device cybersecurity would be beneficial, but that progress has indeed taken place over the past few years.
For example, the recent guidance removes the crutch that the industry has leaned on, which is the language around cybersecurity routine and updating patches.
As we go forward, in order to be successful, all of us have to recognize the critical role we play and cooperate to make this safe for patients and secure for patients’ data.
“Medical device manufacturers have historically used the FDA as a reason not to improve cybersecurity for medical devices currently deployed, through techniques such as patching and other types of updates,” Nelson said. “This document makes very clear that routine cybersecurity updates and patches are considered device enhancements, and in most situations do not require further documentation with the FDA.
“That now gives manufacturers the ability to go and do patch management and update devices to improve the cybersecurity of those that have already been deployed.”
- House Subcommittee Talks Connected Device Cybersecurity Issues
- Researchers Claim Medical Devices Vulnerable to DoS Attacks