- The healthcare industry is becoming increasingly reliant on Internet of Things (IoT) devices, which has pushed entities of all sizes to ensure they are staying mindful of medical device cybersecurity measures.
With medical devices that are used for patient care being potentially vulnerable to cyber attacks, organizations need to realize that patient data is not the only thing that might be put in danger: patient safety could also be put at risk.
Over the past few years, FDA has been taking sequential steps to incorporate medical device security into its rubric, said Reed Smith Partner Maryanne Woo. This is especially true when it comes to the hackability of a medical device.
“When you first talk about the FDA, you think about what the traditional FDA protections would be, such as decisions over whether the medical device unintentionally causes greater harm to the patient,” Woo said. “We're talking about physical harm.”
“But now what you're seeing is the FDA moving and expanding into this sphere of hackability,” she continued. “It is also moving into terms of the security of the device, whether that device can be hacked, and then can be manipulated to cause patient injury.”
The past few years have seen the agency move into the realm with non-binding guidance and recommendations with regard to device security, Woo pointed out. This movement is a strong signal to the healthcare industry that they need to consider device security all the back to the design phase.
The next logical step will likely have FDA moving into mandatory requirements, she posited. Additionally, the agency could also start requiring manufacturers to take products off market because of security issues.
The Healthcare Cybersecurity Task Force also pointed out in its recent report that there were gaps in the current regulatory framework, Woo added.
“The FDA's main charge is focused on device safety and the device manufacturers,” she explained. “That's the area that they regulate – not hospitals. The hospitals do have a reporting requirement to the FDA when there's an adverse event. But the focus is then on working on the device within the device manufacturers to make whatever implementation is necessary to make it safer.”
HHS is also involved in that they do regulate hospitals and other covered entities, which may not necessarily include device manufacturers.
However, IoT is creating an intersection of those two sides essentially, as IoT devices will overlap in those two areas of regulations.
“Let’s say we have an IoT device that should be and is under FDA purview because it's a medical device, like an infusion pump,” Woo theorized. “The issue is with the things that make the IoT devices innovative. It has these sensors that will be able to capture data, collect the data, which is patient health information, and then transmit it to whoever needs to see it.”
Hackers see that information as valuable, she continued. That is why unauthorized parties are infiltrating healthcare organizations.
“Because the healthcare industry is becoming the number-one target for these hackers, FDA is clamping down,” Woo stressed. “There's a lot more government interest in this area. What's going to happen is that there's going to be a lot more regulatory mandates coming from the government.”
Fellow Reed Smith Partner Mildred Segura also stressed that patient safety is a key concern with medical device cybersecurity, especially with regard to FDA regulation.
“Cybersecurity and the loss of patient data, or disclosure of patient data, that's certainly one of the key concerns,” Segura said. “But for the FDA it ultimately boils down to patient safety.”
Citing FDA premarket management guidance released in 2014, Segura explained that manufacturers must consider security at the onset of a device’s lifecycle: not just on the backend.
“Deal with it at the time of design and development of your devices,” she stated. “And for many of these devices, that's a challenge. You have these devices that sometimes take years to design, develop, and to get approved or cleared by the FDA. Then they go out onto the market and may have a lifespan of five, 10-plus years.”
Healthcare providers and manufacturers must focus on FDA issued guidance, which are the agency’s attempt to interpret quality system regulations.
“Technology is evolving, this Internet of Things is not proliferating left and right,” Segura said. “It's not going away. It's time for us to step in and try and inform the industry standard, which is not yet set, by any means. We need to try and provide guidance to manufacturers who are trying to grapple with this issue.”
The most recent FDA guidance was issued in September 2017 and focused on medical device security and interoperability capabilities. The healthcare industry must pinpoint “specific considerations related to the ability of electronic medical devices to safely and effectively exchange information and use exchanged information,” FDA said in the document.
That guidance addresses the tension between having an interoperable medical device and then ensuring that it's safe from cybersecurity threats, Segura stated.
“It outlines in detail the key elements that manufacturers should take into account at the development stage,” she explained. “It also identified recommendations for pre-market submissions. In other words, if you have a manufacturer that's submitting a device to the FDA for approval or clearance, then here are some of the key pieces of information that the FDA wants to see with respect to cybersecurity.”
“The bottom line is that the guidance is setting the industry standard,” she continued. “As a manufacturer you want to be able to point to compliance with those recommendations.”
Even if manufacturers don't follow the exact recommendation, they want to have some mechanism in place that addresses the issues being identified by FDA, Segura noted. That way, device manufacturers can say, "We complied. We followed what the FDA was recommending."
Why collaboration is necessary for IoT device security
There is an increasing need for medical devices to be interoperable, Woo posited. The devices within one hospital or one organization need to be able to work together. But oftentimes the devices are all from different manufacturers.
“On average a hospital bed has about 10 to 15 medical devices connected to it at one time,” she said. “And all of them are not made by the same device manufacturer. Everyone has different specialties. They all need to be able to talk to each other. They all need to be able to share data, share information.”
That need for interoperability often means that there are very low security parameters in these devices.
“If someone from the outside can hack into the MRI machine, hack into the X-ray machine, or can hack into your blood gas analyzer – because none of them are set up to detect malware – then they can go anywhere into the hospital,” Woo stated.
This is what the Healthcare Cybersecurity Task Force report was discussing when it maintained that the industry needs to work together to overcome medical device security issues, she added.
“You can't deal with one IoT device manufacturer. You've got to deal with all of them,” Woo stressed. “All of them have to be on board with this. All of them have to make sure that their devices are secure and they're not so susceptible. But how do you do that?”
“That's why there has to be this conversation between the industry, between all the stakeholders in the healthcare industry in order to make this happen.”
Segura pointed out that the recently introduced Internet of Medical Things Resilience Partnership Act aims to do exactly that: identify security gaps and have industry stakeholders work together.
“It's really calling for all of these different parties to come together to generate a report recommending voluntary frameworks and guidelines to increase the security of the Internet of Medical Things,” she said. “It's a step in the right direction and ultimately it may lead to actual regulations.”
Agencies want to see the Internet of Medical Things evolve, as it can help patient care and even improve things from the cost perspective, Segura noted.
“There's no dispute that you have those benefits,” she said. “But there's this balance taking place of how much regulation you should have without impeding innovation.”