Blog Tag: healthcare
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.
Envision Healthcare Corporation (“Envision”) recently announced an agreement to be acquired by KKR & Co. L.P. (“KKR”) for about $5.5 billion in cash. The transaction is valued at $9.9 billion, including the assumption or repayment of debt. The transaction remains subject to regulatory and shareholder approvals, but is expected to close in the fourth quarter of 2018.
Envision, based on Nashville, TN, is a national physician staffing company and provider of physician services, including post-acute care and ambulatory surgery. KKR is a global private equity firm headquartered in New York, NY. The agreement to acquire Envision follows KKR’s 2017 acquisition of American Medical Response, an ambulance business subsidiary of Envision, for $2.4 billion.
It has been reported that other private equity firms including a consortium of Carlyle Group LP and TPG global competed for Envision. According to a report by Bain & Co., the value of private equity deals in healthcare across the globe reached $42.6 billion in 2017, up 17% from $36.4 billion in 2016.
Regarding its acquisition of Envision, Jim Momtazee, Head of KKR’s Health Care investment team states:
Envision has a very strong reputation for delivering high-quality, patient-focused care through its network of 25,000 clinical professionals at thousands of hospitals, surgery centers and alternate sites of care across the country. We are excited to partner with the outstanding team lead by Chris Holden to help build upon the strong foundation in place and accelerate Envision’s growth going forward.
The market for medical device connectivity is projected to reach about $2.6 billion by the year 2023, according to a report published in April 2018 by several publishers. The report states that the connectivity market for 2018 is expected to be about $940 million. This equates to a compound annual growth rate (CAGR) from 2018 to 2023 of 23.2%.
According to news articles, the report states that “[t]he growth in this market is attributed to the increasing penetration of [electronic health records] and health information exchange systems in healthcare organizations, growing focus on care quality and patient safety, healthcare IT initiatives driving the integration of medical devices with hospital information systems, and the growing need to curtail healthcare costs through a connected healthcare environment.”
From 2018 to 2023, the medical device connectivity market CAGR is estimated to be 23.2%
The report further states the medical device connectivity services segment, as opposed to the device connectivity solutions segment, is anticipated to grow at the maximal CAGR during the “outlook period” from 2018 to 2023. The report divides the technology sectors into wired, wireless, and hybrid technologies. The wireless segment is projected to register the highest CAGR during the outlook period.
The report also breaks down the relevant markets into hospitals, home healthcare, ambulatory care settings, and imaging & diagnostic centers. It finds in 2017 hospitals controlled the medical device connectivity market. The report also finds that North America is expected to grow at the highest CAGR during the outlook period, followed by Europe.
The increase in the market is attributed in the report to “growing funding towards innovative projects in the medical market, [the] need to curtail the escalating healthcare costs in the USA, the presence of a big number of healthcare IT firms, rising investments in the healthcare sector by top market players, and increasing awareness about advanced technologies.”
A recent survey conducted by ZingBox, a Silicon Valley internet security startup, found that more than 90% of healthcare IT networks have Internet of Things (IoT) devices. The survey further found that more than 70% of IT departments believe that current security systems for laptops and servers can also protect connected medical devices.
According to Xu Zou, ZingBox CEO, “Typically you will see 10 to 15 IoT devices per bed in a hospital.” He defines a healthcare IoT device as anything that is portable and connected to the Internet.
This has caused serious problems with medical and other organizations. For example, on May 12, 2017 a ransomware cryptoworm called WannaCry attacked on devices on every continent. An estimated 200,000 computers in 150 countries were infected. The attack included hospitals in England and Scotland and affected up to 70,000 devices, including MRI scanners, blood-storage refrigerators, and theater equipment. Some ambulances were diverted and some non-critical emergencies were turned away.
A more recent global attack occurred on June 27, 2017. Petya (also known as NotPetya), a ransomware cryptovirus, affected largely Ukrainian and Russian hospitals but also hit locations in France, Germany, Italy, Poland, the United Kingdom, and the United States.
In ransomware attacks, malware prevents a user from accessing certain computer records (e.g., patient records). These records are not released until a specified amount is paid to an anonymous recipient. Generally, these types of attacks rely on cryptocurrencies, such as BitCoin. Cryptocurrencies function like paper money, so the transaction is anonymous and difficult to trace.
“Health care has been late to respond to the need for protected information, and the information is worth more,” said Michael Ebert, a partner with KPMG who advised companies on cybersecurity. “It’s amazing how far behind we are, and we know we have to do something.”
Ransomware attacks not only show the vulnerability of hospitals (and healthcare companies generally), but they present a threat to human life. For example, experts have suggested that up to 500,000 children’s medical records are on sale and could be used to compromise the care given to a child.
Ransomware attacks are on the rise. A 2017 Verizon Data Breach analysis found that ransomware attacks rose from the 22nd most common type of malware attack to the 5th most common between 2014 and 2017. “[H]olding files for ransom is fast, low risk and easily monetizable,” wrote the authors. The report noted that 72% of all health care malware attacks in 2016 were ransomware.
Investments into IoT technology is also rising. So far it is at nearly $25 billion and is expected to rise dramatically. Accordingly, the spread of the technology can be expected to increase. Examples within the medical device community include blood pressure and heart rate monitors.
Most of those surveyed by ZingBox may be optimistic about the state of their security. However, the healthcare industry is likely to be more vulnerable in the future as the IoT becomes more ubiquitous.