- Outdated operating systems in connected devices could create patient safety issues in addition to medical device cybersecurity concerns. A faulty implanted device could impacts patients or ransomware could prevent patients from receiving proper care if a provider is temporarily shut down.
Legacy devices are the biggest cybersecurity challenge right now, not the devices that are new to the market according to Yarmela Pavlovic, who is a partner in the FDA Medical Device practice at Hogan Lovells.
The devices that were released at a time when cybersecurity wasn’t really an issue, or at least when it was not a key consideration in the industry, can create data security concerns, she told HealthITSecurity.com.
“One of the interesting things is that cybersecurity is an ever-evolving animal,” Pavlovic said. “While legacy devices are the big issue today, it’s interesting to think about what the issue will be in 10 years. What are we not thinking about today? We just have no idea what will be an issue in 10 years? It’s a real challenge for companies to address the unknown.”
Devices that weren’t intended to be network-connected are sometimes being “jerry-rigged with WiFi connectors or other network connections,” she added. For example, older devices might have USB ports there were meant for uploading software, but might also be used to connect the device to a hospital network.
However, open USB ports could also lead to problems, for example. Asking about open USB ports has become a common FDA question during premarket review, Pavlovic explained.
“We regularly get questions about [USB ports] if it’s not clearly addressed up front in a marketing application,” she said.
For example, a USB port meant for upgrading software can also be used to upload malicious software.
Assessing risk for digital health security
It has become a standard part of the pre-market review of all medical devices to assess whether or not there is any sort of connection to outside the device, Pavlovic stated. This is almost always the case when it comes to digital health.
“Then the assessment becomes focused primarily on whether the company – the manufacturer of the product – has assessed the potential for cybersecurity vulnerability and risk and how they have chosen to mitigate those risks,” she said. “Two years ago you could submit a new product application and not mention cybersecurity, and occasionally you would get questions. Now, it will be a question that FDA asks in every instance.”
The FDA issued a guidance document that lays out the information the agency expects to receive as part of that pre-market review, which is largely tied to risk analysis, Pavlovic added. The risk analysis is essentially the core of medical device design and development.
“You figure out what the risks of the product are, and that helps you figure out how you need to change it to mitigate those risks: to make the risks less likely,” she explained.
The FDA is also doing work with post-market surveillance on the backend. Once a product is available on the market – whether it is a new device or a device released 10 years earlier – FDA has a document to help companies figure out how they should be reassessing cybersecurity in the post-market phase. The guidance also aids in how changes should be reported, or handled so devices do not keep cybersecurity vulnerabilities in place once they’re identified.
“For medical devices that require FDA clearance or approval prior to marketing, every time you change that product after the first marketing authorization is granted, as a manufacturer you have to assess whether that triggers the need for a new filing with FDA,” Pavlovic observed. “Do you have to go back and get a new 510(k) or a PMA supplement? You also have to consider whether any changes made to address safety issues trigger recall reporting obligations.”
In exchange for companies being very proactive with cybersecurity, FDA has given them a bit of a pass on the number of things that need to be reported back to the agency, she said. It basically allows companies to move more nimbly to address potential vulnerabilities. In many instances it may not require a new 510(k), a new marketing authorization, or reporting under the recall rules.
Information sharing and collaboration have also been highlighted as important areas with medical device cybersecurity. This is also part of the proactivity, where companies need to participate in Information Sharing and Analysis Organizations (ISAOs) to skip some of their reporting obligations.
The FDA post-market guidance said such an approach is necessary given the understanding that cybersecurity risk management is a shared responsibility.
Manufacturers were also encouraged to participate in ISAOs.
“[Manufacturers] are supposed to be participating in an information-sharing organization, and those organizations serve kind of like clearinghouses of information,” Pavlovic said. “A manufacturer can submit information to the clearinghouse and have it be available to others in the industry without necessarily disclosing who reported the information.”
There is the idea that many organizations have very similar operating systems or other components that are being used off the shelf that then lead to potential vulnerabilities, she added.
“If the companies all share information, or all of the shareholders and stakeholders in this process share information, then that just increases the chances that another company will realize early that they have a potential issue and fix it,” Pavlovic explained. “FDA views the collaboration among all the different stakeholders as pretty critical to maintaining the cyber-health of the healthcare infrastructure.”
Creating long-lasting, comprehensive security measures
The FDA has principle jurisdiction over medical device manufacturers and companies that make products available. One of the very challenging things is that those devices then get implemented into a healthcare institution, Pavlovic stated.
“Sometimes they’re used at home, but often they’re being implemented by a hospital,” she noted. “The network within which the device is operating has an impact on cyber-vulnerability. There will be a continued emphasis for manufacturers to be working with healthcare institutions to try to protect the devices that are out there, and the networks on which they’re relying.”
There will likely also be continued efforts on furthering cybersecurity education and ensuring that companies are aware of, and thinking about the evolving cybersecurity issues, Pavlovic added.
“If you think about all other areas of risk for a medical device, you almost always are thinking about them in terms of the intended use of the product,” she pointed out. “Something that’s a little bit unique about cybersecurity is that the intended use of the product doesn’t necessarily matter.”
For example, perhaps a blood pressure monitoring device is connected to a hospital network, Pavlovic proposed. It might be connected through the cloud. Overall, the device seems fairly low-risk because it simply monitors vitals.
When it comes to cybersecurity though, it doesn’t really matter what that device does if it is a way in to the hospital network.
“If it is connected to the hospital network and also an external location like the cloud, then that connection may present a vulnerability for accessing the hospital network,” she said. “The consequences could be significant from a cybersecurity perspective, even though the risk of the device in a medical sense is quite low.”
“One of the messages that FDA has really been hammering on is you need to think about cybersecurity more broadly than the intended use of the product,” Pavlovic stated. “That is definitely a big piece of what they will continue to educate companies on.”
When it comes to cybersecurity, FDA’s biggest interest right now is not in punishing companies, but rather in helping them meet challenges, Pavlovic explained.
“There hasn’t been a lot of cybersecurity-oriented enforcement, because right now FDA’s in a very collaborative stance, trying very hard to get companies to work on this proactively,” she said.
However, if the FDA felt an organization was being too cavalier, then the agency could use any of the enforcement tools it already has at its disposal.
An FDA warning letter may be issued to a company, which could then become public. This could have a huge impact on a company, Pavlovic stated.
“The warning letter in some ways is sort of like a public shaming of the company that lets everybody in the public know that this company hasn’t been doing what they were supposed to be doing and that FDA is working with them to fix it,” she said.
While rare, FDA also has the ability to recall a device or product, Pavlovic noted. This is used when the agency feels that something is unsafe and the risk to health is significant.
“The FDA will escalate through the chain of possible enforcement tools, depending on the nature of the situation, the risk to patient health, and the extent to which the company tried to fix the problems once they became aware of them,” she said.