Plamena Entcheva-Dimitrov, PhD, RAC, founder of Preferred Regulatory Consulting and Joseph Madden, vice president of sales at Nova Leah, discuss cybersecurity of medical devices in the United States.
Ar_TH Shutterstock
2037142181
cybersecurity
Security experts say “no” and explain that the internet was conceived and developed for ease of use, for connivance, for moving big data, but security was an afterthought. The FBI says that 90% of American companies are susceptible to a cyberattack. That is shocking! But what is worse, is that lifesaving and life supporting medical devices or even entire healthcare networks can be the target (willingly or by coincidence) of such attacks putting innocent lives at risk.
Introduction
As medical devices are becoming more reliant on network connectivity to performs their basic functions or to interact with other devices, smart phones are hosting medical apps, and algorithms are stored on the cloud, medical devices are becoming more vulnerable to cyberattacks. Medical devices are also a gateway into hospital networks storing sensitive patient data, exacerbating the problem, and intensifying the need to strengthen cybersecurity systems for medical devices.
Background
Industry groups along with FDA experts have been working on strengthening cyber security of medical devices for over 20 years. Other agencies, such as FCC, FBI, CISA, NIST are also stakeholders in an increasingly more complex healthcare system. Series of events, such as hacked insulin pumps, stolen personal health records and industrial espionage, are becoming normal in the press. These cyberattacks become possible through the medical devices that are connected to hospital, home, or public networks.
What is a cyberattack?
A cyberattack is an attempt to gain unauthorised access to a computer or computer network. No-one is immune and medical technology is one of the high-profile targets. The average cost for a cybersecurity incident in the healthcare sector in 2022 was $10.1 million dollars. The costs are far greater than the simple monetary costs, of the hospitals experiencing a cybersecurity incident, 20% said they saw an increase in mortality rates during the attack.
Several outcomes from a cyberattack:
- Denial or destruction of your network services
- Theft or destruction of critical information
- Physical damage of infrastructure
In the medical field, there are several areas of vulnerability:
- attack on medical devices or healthcare systems, which threatens lives - life-supporting and life sustaining devices are altered or disabled, networks are brought to their knees by incapacitating key functions or causing outage.
- attack on medical devices or healthcare systems, which causes loss, damage, compromise of personal health information - loss of privacy.
Any one of these can affect our medical care, hospital, and home medical devices, such as ventilators, pacemakers, OR equipment, infusion pumps, ICU monitoring system, glucose meters, dialysis machines and many more! Thus, FDA considers cybersecurity as a critical safety issue. New submissions now must demonstrate reasonable assurance that medical devices are protected from cyberattacks. This assurance is gained through testing in variable environments, through wired or wireless connection and using different tools.
Some high-profile cases of cyber security attacks include:
- Hacked insulin pump back in 2012, when the patient hacked into his own pump to highlight the device vulnerability followed by discovering a larger issue with Medtronic insulin pumps
- Ransomware impacting radiation therapy for over 200,000 cancer patients
- In 2021, Armis reported nine critical vulnerabilities in its pneumatic tube system used in 3000 hospitals worldwide. The vulnerabilities could allow attackers to take control of the workstation and launch ransomware attacks
- Vulnerable pacemakers and implanted defibrillators
- Protected heath information of 1.4 million patients potentially compromised in the ransomware attack in Georgia
As seen by the examples, the risks of malicious cyberattacks on medical devices and health care infrastructure are a matter of life and death. Thus, it is critical for manufacturers, and for health care providers at large to conduct proper risk analysis and mitigate those risks in anticipation of a cyberattack. Cybersecurity risk analysis was first introduced by FDA in 2014 Guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. As more medical devices are connected to networks, the need to conduct cybersecurity risk analysis and mitigation has become more critical, which lead to the issuance of new FDA draft guidance in 2022, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.
Recent changes in law
Medical devices are subject to the Food, Drug and Cosmetics Act (FD&C, 21 U.S.C. 351 et seq). Recently, Congress, through the passing of the Omnibus Bill, (H.R. 2617, Section 3305) amended the FD&C Act, by adding a new Section 524B., Ensuring Cybersecurity of Devices. This section codifies new cyber security requirements for medical device manufacturers. The requirements are applicable to all types of medical device marketing submissions: 510(k)s, de novos and PMAs [submission under section 510(k), 513, 515(c), 515(f), or 520(m)].
Updated requirements are as follows:
1. Plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
2. Design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available post-market updates and patches to the device and related systems to address—
- on a reasonably justified regular cycle, known unacceptable vulnerabilities; and
- as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks.
3. Provide a software bill of materials, including commercial, open-source, and off-the-shelf software components.
4. Comply with such other applicable requirements to demonstrate reasonable assurance that the device and related systems are cybersecure.
Important dates to keep in mind
The effective date for the new requirements is 90 days after passing the bill, i.e. 29 March 2023.
The changes to FD&C Act introduced in the 2022 Omnibus Bill (H.R. 2617, Section 3305) will lead to updating some FDA final and draft guidance documents, so manufacturers of cyber devices (defined in H.R. 2617, Section 3305) should be on the look for those. In the meanwhile, it is recommended, that manufacturers of cyber devices familiarise themselves with the requirements in the amended FD&C Act.
As stated in Section 3305, within two years of the enactment of the new law, HHS Secretary (though FDA) and the director of Cybersecurity and Infrastructure Security Agency (CISA) will be updating the requirements of the information to be included in submissions for cyber devices.
Within 180 days, i.e. 22 June 2023, FDA is required to provide to the public information regarding improving cybersecurity of devices, including identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers.
Within one year of enactment of this law, the controller general is required to publish a report identifying challenges in cybersecurity for devices, including legacy devices that may not support certain software security updates.
Conclusion
Medical devices are becoming sophisticated and increasingly reliant on network connectivity. The risks of cyberattacks on or through these sophisticated devices has increased exponentially, and they are often a gateway into hospital networks that store sensitive patient data, exacerbating the problem and intensifying the need to strengthen cybersecurity systems for medical devices. These cybersecurity vulnerabilities create risks and expose sensitive patient data which ultimately causes adverse patient outcomes, serious injury or in some cases death. Assessing and mitigating cyber risks for medical devices has become a major part of design and development of connected medical device technologies and detailed documentation needs to be (i) prepared from the beginning of each such project, (ii) included in the FDA submissions and (iii) maintained post-marketing.