Technology can improve human life in significant ways and aid in the fight against troublesome illnesses. Unfortunately, no technology is perfect — and newer technologies are especially prone to growing pains.
There are three major problems in today’s medical devices and wearables market: potential sabotage of the devices themselves, devices as a backdoor into networks and patient data, and device manufacturers taking advantage of regulatory loopholes to get their products on the market.
1. Many Devices Are Vulnerable to Tampering
When the Department of Homeland Security issues a warning about the security of a medical device, you know there’s cause for alarm. That was the case recently with implantable cardioverter defibrillators (ICDs) from Medtronic.
According to the DHS report, some of the potential for misuse and patient harm seem to represent an entirely new category of cybercrime:
– In addition to implantable defibrillators, the DHS warning also extended to pacemakers.
– These products provide doctors with the means to use radio wave connectivity to make remote changes to patient implants.
The DHS warning indicates that cybercriminals with “low-level” skills could access these devices and make changes to how they function. The only mitigating factor is that the would-be cybercrime would have to take place from within close proximity to the patient.
One solution to this problem began to take shape at the beginning of 2019. In light of this and other worries, the U.S. Food and Drug Administration will begin allowing the public to study previously secret files detailing known problems with medical device functionality and potential vulnerabilities. These “alternative summary reports” contain information on two million cases where patients or physicians reported “problematic” behavior or functionality in medical devices.
Brian Saucier, security architect for infrastructure, cloud, and security at NTT DATA Services, told HIT Consultant that, while the FDA requires a Premarket Approval (PMA) process for any medical devices that could pose significant risk of injury or illness, the FDA does not prescribe specific cybersecurity standards for device manufacturers to follow.
“[I]instead [the FDA] publishes guidance describing how software enabled (and especially network capable) medical device manufacturers or resellers can successfully navigate the PMA process,” Saucier says. “The core element of the guidance is the NIST cybersecurity framework.”
However, Saucier points out that “The NIST framework also does not specify specific controls or security protocols but establishes a comprehensive approach to managing cybersecurity risk.” This approach, he says, involves identifying and understanding the risks associated with software enabled medical devices, establishing detection controls to identify cybersecurity events and enabling recovery capabilities in the event of a cybersecurity issue.
In addition to these official channels, independent security researchers continue to study and report on the problem of cyber-vulnerabilities in medical devices broadly and Medtronic devices specifically. Billy Rios and Jonathan Butts, two cybersecurity researchers, raised alarm over insulin pumps and other devices remaining open to potential attack.
At the end of 2018, in light of these findings, the FDA issued warnings to doctors and Medtronic. In response, Medtronic issued a software update, but not before acknowledging they had taken “entirely too long to process, validate and mitigate” the researchers’ findings.
“Medical devices and wearables operate in a unique technology space with roots in standard enterprise Information technology (IT), industrial/operational technology (OT), and Internet-of-things (IoT) technology,” Saucier says. “The medical technology field inherited challenges from all three of these sectors.”
2. Unprotected Networks and Devices Provide a Back Door for Ransomware Attacks
Each year, the medical devices market grows by about 20%. But tampering with intent to cause bodily harm is just one type of potential misuse. Some of the others are familiar to any internet user. Patient monitoring tools, telemedicine portals, and wearable health devices all represent potential endpoints for cyber attacks — including fraud and ransomware.
“Ransomware is a challenge across all industries today including healthcare,” says Ross Carevic, director of technology sourcing at Vizient, where he leads the company’s Medical Device Cybersecurity Task Force. “From a health care perspective, it’s particularly challenging given the thousands of different device types create a much broader attack surface for hackers.”
In a hospital setting, any poorly protected terminal, Wi-Fi network or medical device could be used to grant access to the wider network. This puts patient health information (PHI) at extraordinary risk for health care systems. For black market data brokers, health information is even more valuable than credit card information. Instead of inflicting direct financial harm, thieves can use patient records to file fraudulent insurance claims, order prescriptions and more. Compared with financial credentials, which tend to be reported to banks quickly, medical information is sometimes still in use by hackers long after a known breach.
“In the case of medical devices,” says Carevic, “some of the types of vulnerability assessments that suppliers should be regularly implementing include port scanning, penetration testing, fuzz testing, and reverse engineering of critical binaries to ensure the software is doing what it was designed to do and nothing else. In addition, where possible the devices should be running commercial antivirus software to quickly identify and prevent malicious activity on the device before it’s impacted by something unintended like ransomware.”
As for ransomware, in 2018, some 18% of health care entities reported experiencing ransomware attacks or malware attacks made through their devices in the previous 18 months. For patients and health care systems, this is a wakeup call.
With these findings in mind, the FDA and DHS have new information-sharing processes in place to help device manufacturers and regulators communicate more effectively about cybersecurity issues. In what they call a memorandum of understanding, the DHS will coordinate communications between “stakeholders” — including the DHS, the FDA, medical device companies, researchers and others. The goal is to speed up coordination between parties and alert physicians and the public about problems more quickly than was possible before.
Another necessary step began taking shape in October 2018, when the FDA also issued its “premarket cybersecurity guidance” with the goal of encouraging security-mindedness long before devices become available for purchase.
3. Imperfect or Incomplete Approval Processes
Finally, we arrive at what, in some cases, might be the proximate cause of patient harm as a result of cyber-vulnerabilities.
The FDA’s approval process for medical devices has slowly been compromised by lobbying over the years to the point where device manufacturers don’t have to furnish proof that their devices actually do what they claim. Several loopholes also make it easy for device makers to get their products on the market even without proper testing.
Even some high-risk devices like surgical meshes and gastric balloons made headlines recently due to questions about their safety and effectiveness. Adding fuel to the fire is a 2008 Supreme Court decision which barred patients and their families from suing device manufacturers in some circumstances.
There is generally no way to conduct deliberate, detailed and large-scale surveillance for device safety and functionality. It can take years for safety issues to become common knowledge, and manufacturers generally under-report problems with their devices.
Philips demonstrates one way to investigate how products are performing, how they’re used and how they undergo repairs after the initial sale. Medical device manufacturers must demonstrate similar interest in proactively seeking and acting on data regarding the real-world performance of high-risk devices.
In most cases, the FDA provides a “self-registration” process — not an approval process. Thanks to this distinction, companies frequently misclassify their devices as similar to existing products using the “501(k)” process, which exempts the company from providing evidence of its efficacy. This is true even for “Class II” medical devices, which are considered “high-risk” if misused or if they malfunction.
To solve the problem of exploitable oversights in the approval process, lawmakers and the public need to be more wary of changes to the law promising to “speed innovation.” There’s abundant proof — one physician likened the situation to a massive cover-up — that device manufacturers frequently overstate the effectiveness of their products in their desire to get to the market before competitors.
As we’ve seen, though, each of these major problems with the health care device market has captured the attention of regulators and concerned citizens. With the efforts outlined here, including improved information-sharing, wider attention from concerned journalists and the exposure of previously hidden reports, we’re laying the framework for a safer and more transparent industry.