Cybersecurity is front and center in all industry sectors now that practically everyone and everything is connected to the internet. The National Highway Traffic Safety Administration is working on accelerating cybersecurity standards for automakers now that today’s automobiles are computerized (and some are self-driving), creating the risk that hackers could remotely take control of a moving vehicle. Recent headlines have focused on hackers targeting law firms by leaking confidential information, such as the “Panama Papers,” or shutting down a firm’s email and computer systems (and thus their billable hours) through ransomware, as DLA Piper recently experienced. Likewise, the retail and credit industries have had their fair share of headlines, including the recent Equifax hack in September.
Additionally, headlines featuring cybersecurity concerns from hospital networks and device manufacturers in the healthcare industry have become more prevalent and pose significant threats to patient safety, protected health information, reputation, and even stock prices. Having your credit card compromised is one thing; but having a hacker steal your medical records or access and remotely control your implanted medical device is quite another. As devices become increasingly connected and sophisticated, they become more susceptible to cyber-attacks. In order to protect patient safety as well as control the negative publicity that stems from publicized vulnerabilities, medical device manufacturers need to proactively identify cybersecurity threats and implement software or firmware updates to mitigate threats.
WHAT MAKES THE HEALTHCARE INDUSTRY DIFFERENT?
The healthcare industry is particularly vulnerable to cyber-attacks in the form of unauthorized access to protected health information (subject to HIPAA and FISMA regulations), email phishing and malware attacks on hospital networks, and remote takeovers. device can allow attackers to compromise an entire network. Hackers are targeting the healthcare industry because patient data is a valuable target, healthcare networks may be less secure, there is an expansive victim pool, and there is a lack of regulatory control on device cybersecurity. Ransomware attacks on hospitals are becoming more prevalent. This is a scenario in which a hacker gains access to and encrypts a hospital’s network and data, thereby forcing hospital administrators to decide whether to pay the hacker’s ransom demand in order to get the encryption key or to shut down operations while the authorities conduct an investigation.
EXPECT TO SEE MORE WARNING LETTERS AND SAFETY ALERTS FROM THE FDA REGARDING FIRMWARE UPDATES
The most commonly described cybersecurity threats to connected devices concern hackers remotely accessing insulin pumps or pacemakers. Pacemakers contain embedded computer systems that can be vulnerable to cybersecurity hacks. As medical devices become increasingly interconnected via the Internet to hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates. An episode of the TV show Homeland depicted a scene where hackers assassinated the Vice President of the United States by remotely disabling his pacemaker. This scene was reportedly inspired by Dick Cheney’s revelation that he had the wireless function of his pacemaker disconnected while he was Vice President because he was concerned that hackers might access his device remotely to harm him.
On August 29, 2017, the FDA and Abbott, which acquired St. Jude Medical earlier this year, issued a safety notification encouraging patients with implantable pacemakers to see their doctors for firmware updates to the device hardware to prevent their pacemakers from being hacked. Abbott issued a “Dear Doctor” letter the day before describing the firmware update process. Firmware is a specific type of software embedded in the hardware of a medical device. Although there are no known reports of patient harm related to cybersecurity vulnerabilities, the FDA’s safety notification confirmed that the vulnerabilities are a real threat because hackers could remotely harm a patient by rapidly depleting the battery or by sending inappropriate pacing or shock commands. All medical device manufacturers should use Abbott’s recent experience as an example of why it is critical to proactively patch cybersecurity vulnerabilities before hackers (or the FDA) create a patient safety or PR nightmare.
A cybersecurity researcher brought potential vulnerabilities to Johnson & Johnson’s attention after identifying potential ways hackers could exploit a cybersecurity flaw in its connected insulin pump devices to remotely trigger additional doses of insulin, which could be life-threatening in extreme cases. On October 4, 2016, upon learning about this vulnerability, Johnson & Johnson proactively warned customers and provided advice on how to fix the problem. This was reportedly the first time a manufacturer had proactively issued such a warning to patients about a cybersecurity vulnerability.
FDA’S POSTMARKET GUIDANCE
To help protect against the evolving threat of hacking, the FDA has issued postmarket guidance to medical device manufacturers for continued monitoring, reporting, and remediation of device cybersecurity vulnerabilities. Key takeaways from the new guidance include: (1) Medical device manufacturers should monitor, identify, and address cybersecurity vulnerabilities through the establishment of postmarket cybersecurity management processes; (2) A risk-based framework should be used for assessing when cybersecurity-related device changes should be reported to the FDA; and (3) Cybersecurity risk management is a shared responsibility among stakeholders that include the medical device manufacturer, the user, the Information Technology system, hospitals, and Health Information Technology developers and vendors.
Further, the FDA encourages hospitals and device manufacturers to implement the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” The best way for device manufacturers to combat hacking threats is to consider and evaluate cybersecurity vulnerabilities through the total lifecycle of the device, from building in cybersecurity controls during development to continuously monitoring and patching threats once the product is being used by patients. The FDA’s guidance indicates that manufacturers are not required to report to the FDA routine cybersecurity updates and patches (considered device enhancements), as long as the risk of patient harm is controlled. In assessing uncontrolled risk, “manufacturers should consider the exploitability of the vulnerability and severity of patient harm if exploited.” The FDA does not intend to enforce reporting requirements under CFR 806 if all of the following circumstances are met: (1) No known serious adverse events or deaths are associated with the vulnerability; (2) Remediation occurs within a tiered 30- and 60-day timeline; and (3) The manufacturer actively participates as a member of an ISAO that shares vulnerabilities and threats that impact medical devices. Importantly, device manufacturers may need to consider implementing cybersecurity controls for legacy devices that are connected to networks.
BEST “CYBER HYGIENE” PRACTICES: IDENTIFY, PROTECT, DETECT, RESPOND AND RECOVER.
Taking into consideration the FDA’s Postmarket Guidance, medical device manufacturers and healthcare systems should implement best “cyber hygiene” practices to establish a proactive, comprehensive risk management program to mitigate, monitor, and protect against cybersecurity threats, including:
- Automated monitoring of cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and malware across all medical devices, especially those devices that are connected to networks;
- Maintaining robust software lifecycle design verification and validation processes that include mechanisms for identifying and assessing risks, as well as updating and patching to protect against new vulnerabilities;
- Educating and training company leadership and employees on understanding, assessing, and detecting the presence and impact of a vulnerability (such as being aware of email phishing schemes and how to avoid them);
- Engaging in collaborative information sharing for cybersecurity vulnerabilities and threats;
- Proactively communicating cybersecurity updates and guidance to patients and healthcare providers; and
- Establishing an incident response and corrective action plan for handling a cyber-attack if one occurs, including investigation, managing the event, preserving the evidence, complying with privacy laws, and notifying the applicable regulators.
One thing is very clear: manufacturers need
to understand, assess and detect the level of potential risk that cybersecurity
vulnerabilities pose to patients and then implement processes to continuously
monitor and rapidly detect and patch those vulnerabilities before they are
exploited. Manufacturers have the obligation to ensure that connected legacy
devices are still able to protect patient data and mitigate cybersecurity
threats. Failure to properly assess cybersecurity risks of connected devices
during the premarket phase is likely to lead to the FDA rejecting or delaying
devices from coming to market. Similarly, failure to continuously assess and
patch vulnerabilities of connected devices already on the market is likely
going to result in FDA warning letters or other enforcement action, negative
publicity, damage to reputation and patient trust in the company, and, most
importantly, potential harm to patients. Lastly, healthcare systems should be
cognizant of the devices that are connected to their networks and have
processes in place for monitoring and detecting cybersecurity threats.
 Should Hospitals Pay Up Following A Ransomware Attack? The Answer is Far From Simple (Evan Sweeney, April 27, 2017), http://www.fiercehealthcare.com/privacysecurity/should-hospitals-pay-up-following-a-ransomware-attack-answer-far-fromsimple.
 Medical Device Cybersecurity: Maybe Dick Cheney Was Not So Paranoid After All, Drug & Device Law Blog (Steven Boranian, Sept. 4, 2015), https://www.druganddevicelawblog.com/2015/09/medical-device-cybersecurity-maybe-dick.html.
 J&J Warns Diabetic Patients About Hacking Risks of Insulin Pumps (Michelle Cortez, Oct. 4, 2016), https://www.bloomberg.com/news/articles/2016-10-04/j-j-warns-diabeticpatients-about-hacking-risks-of-insulin-pumps.
 J&J Warns Diabetic Patients: Insulin Pump Vulnerable to Hacking (Jim Finkle, Oct. 4, 2016), http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e/jjwarns-diabetic-patients-insulin-pump-vulnerable-to-hacking-idUSKCN12411L.
 Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Issued on Dec. 28, 2016), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.