Blog Tag: cybersecurity
The U.S. Food and Drug Administration (FDA) announced an agreement with the U.S. Department of Homeland Security (DHS) to strengthen the partnership between the agencies and “stay a step ahead of constantly evolving medical device cybersecurity vulnerabilities.”
The agreement formalizes a long-standing relationship by developing a new framework for greater coordination and cooperation. As part of the new framework, specific responsibilities have been assigned to the FDA and the National Protection and Programs Directorate (NPPD), a component of the DHS. The following table provides a breakdown of the responsibilities outlined in the agreement:
|FDA Responsibilities||NPPD Responsibilities|
|1. Coordinate and participate in regular, ad hoc, and emergency coordination calls to enhance mutual awareness of vulnerabilities and threats||1. Serve as central medical device vulnerability coordination center|
|2. Provide NPPD with draft public releases to facilitate coordination of messaging||2. Participate in regular, ad hoc, and emergency coordination calls with FDA to enhance mutual awareness of vulnerabilities and threats|
|3. Comment in a timely manner on NPPD draft advisories and alerts||3. Confer with entities providing sensitive information prior to sharing any CCI, trade secret, or PCII-protected vulnerability or product information with the FDA|
|4. Assess the risk to health and patient harm when potential impact is disputed||4. Coordinate with FDA on the content of alerts and advisories to be published by DHS|
|5. Submit requests to NPPD for independent third-party technical assistance to analyze and test medical systems||5. Maintain technical capabilities to support requests for independent third-party analysis regarding the impact of vulnerabilities|
|6. Share non-trade secret information to resolve disputes of risk, impacts, and communication||6. Publish healthcare and public health related alerts and advisories|
In summary, the DHS will serve as the central coordination center and interface with appropriate stakeholders, and the FDA will provide technical and clinical expertise regarding medical devices.
FDA Commissioner Scott Gottlieb, M.D., during his discussion of the new agreement, addressed the FDA’s continued commitment to confront cybersecurity risk, while also recognizing the need for increased coordination between government agencies:
The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns . . . But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone. Every stakeholder has a unique role to play in addressing these modern challenges. That’s why this announcement is so important.
This agreement is not the first time a government agency has reached out to the FDA in an effort to strengthen medical device cybersecurity. As previously reported on the KnobbeMedical blog, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General recommended earlier this year that the FDA include cybersecurity review as a greater part of the premarket review process for medical devices (e.g., through the inclusion of a Refuse-To-Accept checklists). This new FDA-DHS agreement is another example of continuing attempts to address ongoing medical device cybersecurity risks.
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.
The market for medical device connectivity is projected to reach about $2.6 billion by the year 2023, according to a report published in April 2018 by several publishers. The report states that the connectivity market for 2018 is expected to be about $940 million. This equates to a compound annual growth rate (CAGR) from 2018 to 2023 of 23.2%.
According to news articles, the report states that “[t]he growth in this market is attributed to the increasing penetration of [electronic health records] and health information exchange systems in healthcare organizations, growing focus on care quality and patient safety, healthcare IT initiatives driving the integration of medical devices with hospital information systems, and the growing need to curtail healthcare costs through a connected healthcare environment.”
From 2018 to 2023, the medical device connectivity market CAGR is estimated to be 23.2%
The report further states the medical device connectivity services segment, as opposed to the device connectivity solutions segment, is anticipated to grow at the maximal CAGR during the “outlook period” from 2018 to 2023. The report divides the technology sectors into wired, wireless, and hybrid technologies. The wireless segment is projected to register the highest CAGR during the outlook period.
The report also breaks down the relevant markets into hospitals, home healthcare, ambulatory care settings, and imaging & diagnostic centers. It finds in 2017 hospitals controlled the medical device connectivity market. The report also finds that North America is expected to grow at the highest CAGR during the outlook period, followed by Europe.
The increase in the market is attributed in the report to “growing funding towards innovative projects in the medical market, [the] need to curtail the escalating healthcare costs in the USA, the presence of a big number of healthcare IT firms, rising investments in the healthcare sector by top market players, and increasing awareness about advanced technologies.”
On August 29, the FDA announced a recall of 465,000 implantable pacemakers, citing concerns that hackers may be able to take control of the pacemakers’ settings. This would open patients up to danger from improper pacing or rapid depletion of the devices’ batteries, according to the FDA’s statement. Instead of removing and replacing the pacemakers, the recall is designed so that doctors will install a firmware upgrade that removes the vulnerability.
Newsfactor reports that there have been no reported exploits of the vulnerability and no devices have yet been compromised.
The recall highlights that medical device manufacturers are beginning to take a more focused approach to cybersecurity. Mac McMillan, CEO of privacy and cybersecurity firm Cynergistek, told Modern Healthcare that “If devicemakers didn’t already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current. In the past, they’ve developed devices and put them on the market and moved onto the next device. This is a new thing for them.”
Mike Kijewski, CEO of medical device security company Medcrypt, also suggested that the FDA should update its regulations to help medical device companies stay on top of cybersecurity threats. “If the FDA can say you’re just doing the update for cybersecurity and the changes are minimal and the functionality of the device isn’t changing, they can make the update happen faster,” Kijewski suggested.
Canada’s equivalent of the FDA, Health Canada, is still looking into the vulnerability and its proposed solution, and has set a target of 75 days to resolve the situation.
Recently, digital currencies, such as bitcoin, have greatly increased in popularity. Some of this popularity may be attributed to digital currencies’ many purported advantages over traditional currencies, such as that blockchain technology allows for a distributed and cryptographically secure ledger without the use of traditional banking institutions. Newer and more advanced digital currencies have recently been introduced with the added advantage of smart contracts, which are said to be self-executing contractual clauses that may be programmed into a digital currency transaction. As such, many new digital currencies have been appearing with individuals investing in Initial Coin Offerings (ICOs), which are somewhat akin to the Initial Public Offerings (IPOs) of a traditional corporation.
Even more recently, a few companies have begun to make use of digital currencies and blockchain technology in the medical arena. Many have found blockchain technology uniquely suited to secure patient records, and have found that the smart contracts of digital currencies may allow individuals greater control of their medical data. Below is a summary of a few fields of medicine and companies within those fields in which digital currencies and blockchain are already being developed.
Medical Records and Health Data
According to The Merkle, Bowhead Health is the first medical device company using their AHT digital currency tokens with smart contracts to create a new medical data market. The company plans to allow individuals with Bowhead’s digital currency to control the dissemination of their medical data, and also to compensate those individuals if and when they choose to share with research institutions. Bowhead’s AHT tokens are said to allow 70% of research fees to be distributed to users with the other 30% going to token holders.
According to Blockchain News, Medicalchain is a UK-based company using blockchain technology to allow patients to securely store and send their medical records to their healthcare professionals. Medicalchain is said to allow patients to have a centralized medical record accessible from anywhere in the world, and allow individuals the ability to control medical institutions’ access to their records.
The Medical Society of Delaware has partnered with the company Medscient, and they are using blockchain technology to create a proof-of-concept platform to allow insurers and medical care providers to access patient records, according to The Cointelegraph. The article further states that this partnership was made possible when the state of Delaware became the first state to pass a law allowing the use of blockchain technology in business for stock trading and record-keeping.
The Illinois Blockchain Initiative has partnered with Hashed Health to create a pilot program to streamline the process of issuing and tracking medical licenses, according to The Cointelegraph. The goal of this partnership is said to give patients and healthcare providers a transparent license registry system that uses smart contracts to automatically update information.
Medicine and Artificial Intelligence (AI)
According to news sources, Doc.ai is a collaboration between developers from the universities of Stanford and Cambridge, and is said to be creating a platform built on blockchain technology and using AI to create a resource to answer patient’s specific questions regarding their personal health records and their physician’s analysis.
A recent survey conducted by ZingBox, a Silicon Valley internet security startup, found that more than 90% of healthcare IT networks have Internet of Things (IoT) devices. The survey further found that more than 70% of IT departments believe that current security systems for laptops and servers can also protect connected medical devices.
According to Xu Zou, ZingBox CEO, “Typically you will see 10 to 15 IoT devices per bed in a hospital.” He defines a healthcare IoT device as anything that is portable and connected to the Internet.
This has caused serious problems with medical and other organizations. For example, on May 12, 2017 a ransomware cryptoworm called WannaCry attacked on devices on every continent. An estimated 200,000 computers in 150 countries were infected. The attack included hospitals in England and Scotland and affected up to 70,000 devices, including MRI scanners, blood-storage refrigerators, and theater equipment. Some ambulances were diverted and some non-critical emergencies were turned away.
A more recent global attack occurred on June 27, 2017. Petya (also known as NotPetya), a ransomware cryptovirus, affected largely Ukrainian and Russian hospitals but also hit locations in France, Germany, Italy, Poland, the United Kingdom, and the United States.
In ransomware attacks, malware prevents a user from accessing certain computer records (e.g., patient records). These records are not released until a specified amount is paid to an anonymous recipient. Generally, these types of attacks rely on cryptocurrencies, such as BitCoin. Cryptocurrencies function like paper money, so the transaction is anonymous and difficult to trace.
“Health care has been late to respond to the need for protected information, and the information is worth more,” said Michael Ebert, a partner with KPMG who advised companies on cybersecurity. “It’s amazing how far behind we are, and we know we have to do something.”
Ransomware attacks not only show the vulnerability of hospitals (and healthcare companies generally), but they present a threat to human life. For example, experts have suggested that up to 500,000 children’s medical records are on sale and could be used to compromise the care given to a child.
Ransomware attacks are on the rise. A 2017 Verizon Data Breach analysis found that ransomware attacks rose from the 22nd most common type of malware attack to the 5th most common between 2014 and 2017. “[H]olding files for ransom is fast, low risk and easily monetizable,” wrote the authors. The report noted that 72% of all health care malware attacks in 2016 were ransomware.
Investments into IoT technology is also rising. So far it is at nearly $25 billion and is expected to rise dramatically. Accordingly, the spread of the technology can be expected to increase. Examples within the medical device community include blood pressure and heart rate monitors.
Most of those surveyed by ZingBox may be optimistic about the state of their security. However, the healthcare industry is likely to be more vulnerable in the future as the IoT becomes more ubiquitous.
The ECRI Institute released new guidance in its article: “Ransomware Attacks: How to Protect Your Medical Device Systems” on May 18, 2017. The report recommends various protective actions for hospitals to take and points to critical differences in the protection of medical device systems as opposed to general hospital systems.
According to the report, ransomware makes data, software, and IT assets unavailable to users. The report describes ransomware as using the encryption of data to hold systems hostage, where the hacker promises to give the victims access to their data if a ransom is paid. One previous ransomware example reported on the Knobbe Medical Device Blog was the WannaCry virus, a ransomware that caused disruptions for several hospitals in the United Kingdom. The International Business Times reported that security researchers had found that the WannaCry ransomware was not limited to computers but also capable of exploiting medical devices.
The ECRI Institute report explains that an IT department can use new security patches for some medical device systems; however, some systems will remain susceptible because they are based on an older version of an operating system and can’t be upgraded or they have not been validated for clinical use with the latest security patches.
The report includes a list of dos and don’ts for quickly responding to emerging threats. The “Dos” mentioned in the report include:
- Identify medical devices, servers or workstations that may be affected.
- Contact the device vendor.
- Request written copies of the manufacturer’s recommended actions for dealing with a current ransomware threat.
The “Don’ts” mentioned in the report include:
- Don’t overreact.
- Don’t install unvalidated patches. Unvalidated patches can make medical devices faulty or inoperable. Ask the manufacturer for documentation of the validation.
The ECRI Institute is a nonprofit organization that has its U.S. headquarters in Plymouth Meeting, Pennsylvania.
The WannaCry virus has infected and frozen computers in many industries around the world. According to a news source report, the virus has extorted doctors and hospital administrators for the keys to unlock and regain access to their systems in order to treat patients. The Telegraph reports that in the United Kingdom alone, up to 40 hospital trusts were hit by the WannaCry ransomware virus, which resulted in a wave of cancelled appointments and a general state of disarray. Recently, the BBC has stated that at least 16 of these hospitals are still facing issues. With the widespread damage associated with the WannaCry virus, many experts have advocated that the medical device industry should be on alert, now more than ever, regarding the cyber security of their medical devices.
Although the issues associated with medical device security have recently been discussed, some industry professionals believe there does not seem to be an adequate solution to the problem of device security. Tressa Springman, the CIO of LifeBridge Health, explains:
“There’s a lot of talk in healthcare about device security. Discussions about what we’re comfortable pushing as endpoint security and what we’re unable to do – because certainly, we don’t want to create any harm to patients. Many of these devices and the vendors who manage them, it’s very hard to go direct on patching and adding security.”
While medical devices are generally tested extensively for safety, some cybersecurity experts have observed the same cannot necessarily be said for security. Brian NeSmith, co-founder and CEO of cyber security company Arctic Wolf Networks, has stated:
“Medical devices, similar to many other IoT devices, were not designed with rigorous security in mind and are more vulnerable to being hacked. They also do not fall under normal security operations procedures since they are used as needed by the medical practitioners and not deployed and maintained by the IT department.”
Security experts are emphasizing the importance of security patches. Optimistically, Richard Staynings, the principal cybersecurity healthcare leader at Cisco’s Security unit, believes:
“This is going to cause a paradigm shift, at least for patching.”
Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data. In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers. Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).
Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry. In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.
According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited. Furthermore, medical devices face certain unique cybersecurity pitfalls. For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.
Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges. For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety. A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president. While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.
While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern. Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices. These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication. Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.
With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.
The U.S. Food & Drug Administration (FDA) issued a proposed guidance on August 8, 2016, regarding software changes to medical devices. The proposed guidance relates to requirements for submitting medical device software changes to the FDA for approval. The final document will provide assistance to medical device companies and the FDA for determining when changes to software or firmware for a medical device require FDA clearance. The medical devices covered include 510(k)-cleared devices and preamendments devices subject to 510(k).
The FDA’s proposed guidance explains that premarket notifications are generally submitted for commercially-distributed medical devices undergoing significant changes in design. Such changes include modifications that “could significantly affect the safety or effectiveness of the device” or a “major change or modification in the intended use of the device.” The proposed guidance relates to software changes and is an update to the original guidance issued in 1997 regarding changes to existing devices.
The “software” subject to the proposed guidance is defined as “electronic instructions used to control the actions or output of a medical device, to provide input to or output from a medical device, or to provide the actions of a medical device.” This includes software embedded in a device, software that is an accessory to another device, and “software that is intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device.”
The FDA provides a flow chart for assisting with the determination, see below. Issues addressed in the determination include changes related to: strengthening cyber security; meeting specifications of the most recently cleared device; introducing or affecting hazardous situations; creating new risk control measures; and affecting clinical functionality or intended use of the device. Additional factors to consider beyond those in the flow chart and some examples of modifications are provided in the draft guidance as well.
The proposed guidance notes that in some cases a new 510(k) is not necessary, and that existing Quality System (QS) requirements may suffice. Such QS requirements mandate, among other things, that the manufacturer maintains records, for production upon request, regarding such changes and the processes used to determine the changed device meet the design specifications. Further, the proposed guidance does not apply to software for which the FDA has previously said it will not enforce compliance, including some mobile apps used with medical devices.
Some observers think the proposed guidance will help with improving cybersecurity of connected medical devices. The public may provide comments to the FDA on the proposed guidance until November 7, 2016: comments may be submitted electronically here.
The Food and Drug Administration recently issued a draft guidance for managing cybersecurity in medical devices. The guidance document provides the FDA’s postmarket recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices. According to the FDA:
A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.
Recognizing that medical devices and the surrounding network infrastructure cannot be completely secured, the FDA encourages manufacturers to establish a defined process to systematically conduct a risk evaluation and determine whether a cybersecurity vulnerability affecting a medical device presents an acceptable or unacceptable risk. According to the guidance document, such a process should focus on assessing the risk to the device’s essential clinical performance (i.e., performance that is necessary to achieve freedom from unacceptable clinical risk, as defined by the manufacturer) by considering: (1) the exploitability of the cybersecurity vulnerability, and (2) the severity of the health impact to patients if the vulnerability were to be exploited. Recommendations regarding timely remediation and reporting of such vulnerabilities are also provided.
Comments on the draft guidance should be submitted by April 21, 2016 to ensure consideration. Instructions on how to submit comments can be found here.
Amid myriad media reports about potential vulnerabilities in medical device cybersecurity and the FDA’s efforts to strengthen medical device cybersecurity, the IEEE Cybersecurity Initiative released a report entitled “Building Code for Medical Device Software Security.” The report sets forth a set of elements aimed at reducing the vulnerability of medical device software to malicious attackers. The report employs a loose definition of “medical devices,” ranging from wearable devices to electronic health record systems.
The report highlights the most common types of software vulnerabilities that are exploited by malicious attackers. The bulk of the report proposes standards for five software implementation considerations in ways to (1) avoid, detect, or remove specific vulnerabilities like using memory-safe languages, secure coding standards, and automated thread safety analysis; (2) ensure proper cryptography; (3) improve software integrity; (4) impede attacker analysis or exploitation; and (5) detect malicious attacks. The report further brings up four software design considerations about maintaining service during or restore service after an attack and supporting privacy requirements, but does not propose any standards. Finally, the report notes that the “building code” itself should be consistent in categorizing particular types of attacks and should be maintained over time.
The IEEE Center for Secure Design has also released “Avoiding the Top 10 Software Security Design Flaws,” to give advice on ways to address particular issues including data authentication, authorization, and validation; cryptography; sensitive data classification; and integrating external software components.