FDA to Strengthen Cybersecurity Oversight
In a recent report, the U.S. Department of Health & Human Services (HHS) Office of the Inspector General (OIG) recommended that the U.S. Food & Drug Administration (FDA) include cybersecurity review as a greater part of the premarket review process for medical devices. In particular, the report suggests including cybersecurity documentation as a criterion in the FDA’s Refuse-To-Accept (RTA) checklist, using presubmission meetings to address cybersecurity questions, and including cybersecurity as an element of the FDA’s Smart template.
The FDA has been ramping up its cybersecurity review lately to deal with increased cybersecurity concerns. For example, a ransomware attack caused an Indiana hospital to shut down its system. Other cyberattacks may have gone undetected.
Currently, the FDA reviews documentation that manufacturers submit regarding cybersecurity as part of the premarket submissions. The FDA uses this information to consider known cybersecurity risks and threats when reviewing submissions that deal with networked medical devices. The FDA may request additional information from applicants when submissions require clarification or when cybersecurity documentation is lacking. In view of these requests, the FDA regularly approves manufacturers on cybersecurity issues when sufficient documentation is provided.
For example, in one review of a glucose monitoring system, an FDA reviewer did not find “any information on how the manufacturer included cybersecurity in the device’s design,” according to the report. “The FDA reviewer explained that the device relied heavily on users to protect against cybersecurity threats by using antivirus software and enabling firewalls. The FDA reviewer requested that the manufacturer update its hazard analysis to address the missing information. The manufacturer did so, and FDA found the update to be acceptable.”
Because of examples like this, the report suggests using cybersecurity documentation as an element in the FDA’s RTA checklist. The RTA checklist is a screen against incomplete applications. Were cybersecurity part of these checklists, failure by a manufacturer to provide adequate cybersecurity documentation could prevent the FDA to accept the submission for substantive review.
The report also suggests that the FDA use presubmission meetings to address cybersecurity-related questions. These meetings serve as a way for manufacturers to ask the FDA specific questions, such as whether the submission satisfies the FDA’s standards. During these meetings, the FDA can include cybersecurity as part of the discussion, which may reduce the amount of time for the FDA review.
Finally, the report recommended that cybersecurity be a stand-alone element in the FDA’s Smart template. A dedicated section on cybersecurity could allow FDA reviewers to explain the results of their review regarding cybersecurity in a standard format.
The FDA has agreed with these recommendations and has begun taking steps to implement them, such as by including cybersecurity in the Smart template. The FDA also said that it “intends to update the RTA checklist and the accompanying guidance to specifically identify cybersecurity as an item in the checklist during the next update of these items.” The FDA is also currently considering new rules that may require submission of software as part of a premarket submission.
ECRI Institute Releases Guidance on How to Protect Your Medical Device Systems
The ECRI Institute released new guidance in its article: “Ransomware Attacks: How to Protect Your Medical Device Systems” on May 18, 2017. The report recommends various protective actions for hospitals to take and points to critical differences in the protection of medical device systems as opposed to general hospital systems.
According to the report, ransomware makes data, software, and IT assets unavailable to users. The report describes ransomware as using the encryption of data to hold systems hostage, where the hacker promises to give the victims access to their data if a ransom is paid. One previous ransomware example reported on the Knobbe Medical Device Blog was the WannaCry virus, a ransomware that caused disruptions for several hospitals in the United Kingdom. The International Business Times reported that security researchers had found that the WannaCry ransomware was not limited to computers but also capable of exploiting medical devices.
The ECRI Institute report explains that an IT department can use new security patches for some medical device systems; however, some systems will remain susceptible because they are based on an older version of an operating system and can’t be upgraded or they have not been validated for clinical use with the latest security patches.
The report includes a list of dos and don’ts for quickly responding to emerging threats. The “Dos” mentioned in the report include:
- Identify medical devices, servers or workstations that may be affected.
- Contact the device vendor.
- Request written copies of the manufacturer’s recommended actions for dealing with a current ransomware threat.
The “Don’ts” mentioned in the report include:
- Don’t overreact.
- Don’t install unvalidated patches. Unvalidated patches can make medical devices faulty or inoperable. Ask the manufacturer for documentation of the validation.
The ECRI Institute is a nonprofit organization that has its U.S. headquarters in Plymouth Meeting, Pennsylvania.
Hacking the Human Body – Medical Device Security
Medical device development, as always, is shooting upwards – and it has just reached the clouds.
According to News Medical, Verizon just announced that it received 510(k) clearance for its Converged Health Management medical device (the first time Verizon has applied for and received FDA clearance). Converged is a remote patient-monitoring medical device based in the cloud and according to the press release should be available in late 2013.
Verizon claims that the new healthcare solution resides in its allegedly “HIPAA-ready cloud” and will provide easy access to nearly real-time patient data from connected medical devices. Theoretically, this will allow nearly constant medical monitoring – for example, you’re driving your car and you begin to display pre-stroke symptoms (which you can’t notice), if you’re hooked up to Verizon’s “HIPAA-ready cloud,” your primary care physician can call you to tell you to make your way to the nearest hospital.
The potential benefits of this technology could be very interesting (it doesn’t take much imagination to think of some). However, there are also potentially significant consequences. Clearance to fully wireless based devices was first granted in 2006. The FDA has recognized that, while it grants clearance to wireless and cloud-based medical devices, such wireless devices may present a significant security risk. On August 13, 2013 (a surprising 7 years after the first wireless based device clearance) the FDA issued “Radio Frequency Wireless Technology in Medical Devices – Guidance for Industry and Food and Drug Administration Staff,” a guide that attempts to offer “reasonable assurance of safety.” In recognition of the potential for cyber-attacks on wirelessly connected and internet-enabled medical devices (and the patients connected to them), the Center for Internet Security has publicized a new initiative attempting to better secure such systems from cyber-attacks.
All security systems have vulnerabilities which can be exploited – the question is how small they are and how smart a potential attacker must be to find them. Will Pelgrin, the president and CEO of the Center for Internet Security stated that:
[W]e wanted to be ahead of the curve. Instead of waiting for a major incident to happen, we wanted to provide guidance across the board. . . . As these devices become connected to the internet and networks, they become more than just clinical devices, they become IT systems. As we all know, the weakest node on a network can be your entry point for negative consequences that can affect those devices.
The EE Times points out that many medical devices (which can be connected to networks), such as sport watches, monitoring bracelets, heart rate monitors and pedometers, offer valuable information but would not harm the wearer upon malfunction. However, there are many medical devices which are life-sustaining, such as pacemakers, insulin pumps, defibrillators, and neural implants. If these medical devices were “hacked” through inherent weaknesses or through weaknesses in a node of the network to which they are connected, the consequences could obviously be fatal. According to the article, an insulin pump has already been hacked (by a diabetic white hat hacker demonstrating weaknesses in the system).
Share