Medical devices are an especially rich cybersecurity target for malicious activity by those seeking commercial gain or just trying to wreak havoc. And while data theft is a serious threat, the risks posed by hacks that involve the expanding universe of networked medical devices can be especially menacing.
Nach Davé and John Pappan, Premier ResearchIn 2015, the FDA warned that a networked infusion pump was vulnerable to being accessed and controlled by unauthorized users. Concerned that attackers could harm patients by altering their medication dosing, the agency warned healthcare facilities to discontinue its use. Years earlier, before hacking of these devices was on most people’s radar, doctors for former Vice President Dick Cheney ordered that his heart defibrillator’s wireless capability be turned off to prevent the possibility of tampering by terrorists.
The motivation behind medtech hacking
Software-enabled devices have expanded exponentially and their function has evolved from one-way vendor monitoring to fully networked equipment with bi-directional connectivity. That has opened the door to wide-ranging exploitation of device data.
The most obvious motivation is mining data for information that can be used to target customers. A company that sells products and services to diabetics, for example, could benefit from locating patients who use insulin pumps. It may extend beyond patients to include family members: A genetic testing company might appeal to relatives of diabetics who are interested in knowing their own risk, or to purveyors of exercise equipment promoting the importance of fitness in diabetes prevention.
But there’s more than reaching consumers. If you’re considering building a hospital in a remote part of Africa, having access to data from patients’ devices in that region could help you decide whether to proceed. There are also many nefarious uses for stolen data. For example, a device maker could monitor the performance of its competitors’ products and use the information to modify its own offerings and exploit a competing product’s shortcomings in its marketing.
There are many other examples of less-than-altruistic uses of device data. A company whose drugs treat common chronic conditions might learn that a competitor is developing an implantable device that would give patients a concentrated form of treatment that cuts cost by reducing the required dosage. Stolen data about the device could be manipulated to call its safety into question.
Networked devices also can provide wide-ranging biometric patient information such as blood pressure, respiration, and blood enzyme levels. Companies that issue individual life insurance policies often purchase this information, repackaged by third parties to appear of legitimate origin, to evaluate clients for insurability and to set premiums.
And then there are people who use this data for truly devious purposes, including theft of intellectual property, spoof emails and fake websites used to obtain login credentials or install malware, and intentional disruption of care to harm or even kill patients.
How the threats are evolving
These risks will continue to multiply with the proliferation of unregulated devices, such as personal fitness trackers, and as the Internet of Things becomes a bigger part of everyday life. IBM predicts that the burgeoning web of hardware, software, electronics, and sensors will encompass 50 billion devices by 2020, or more than 60 pieces of connected hardware for every person on Earth. The National Institutes of Health says 40% of IoT-linked devices will be health-related — more than any other category.
These threats change constantly and are becoming ever more sinister, and thus harder to defend against. A 2015 KPMG cybersecurity survey of providers and health plans reported that four in five healthcare organizations had been attacked in the preceding two years, and only half felt adequately prepared to fend off a future assault.
Two years later after that survey, KPMG reported a dramatic rise in computer system breaches and data compromises. Still, 43% of respondents had not increased their cybersecurity spending. Just as concerning:
- 53% said they were relying on cyber insurance to protect their organizations in the event of an attack.
- 42% did not plan to increase their cybersecurity spending in the coming year.
- 34% had not invested in information security at all in the preceding 12 months.
“The value of digital assets across healthcare is skyrocketing, as are the risks and costs of regulatory noncompliance, reputational damage, and related cyber and privacy breaches,” the 2017 report said. It added that organizations that ignore this reality “are opening themselves up to unfathomable damage to their reputations, their finances, and even their viability.”
The regulatory response
In September 2018, the U.S. Department of Health and Human Services issued its own warning on medtech security. Specifically, HHS recommended that device makers and the FDA conduct presubmission meetings to better address cybersecurity-related questions, that the agency include cybersecurity questions as an element of its template for 510(k) submissions, and that it begin requiring cybersecurity documentation elements on its refuse-to-accept checklists.
The FDA also recommends that manufacturers include the following in their submissions for networked devices:
- A hazard analysis that lists the cybersecurity risks considered and the cybersecurity controls incorporated into the device.
- A traceability matrix linking the actual cybersecurity controls to the risks that were considered.
- The manufacturer’s plans for validating and updating device software.
- A description of controls in the software supply chain.
Much of the thinking and guidance on the security of networked medical devices is relatively recent and still evolving. FDA reviewers increasingly request additional cybersecurity documentation from manufacturers when performing premarket reviews, and the agency works extensively with manufacturers to address deficiencies in cybersecurity information.
Nach Davé is VP of global regulatory affairs and John Pappan is director of regulatory affairs and medical device and business strategy for Premier Research, a contract research organization for the biotech industry.
The opinions expressed in this blog post are the authors’ only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.