Medical Device: Growing Cybersecurity Threat and Need for More Regulation

Despite an expected increase in the frequency in cybersecurity threats in the near future that will affect networked medical devices, experts debated whether existing US and European guidelines are adequate to ensure device manufacturers are up to date with the highest security. Some called for more stringent regulation, and others argued overly specific rules are impractical against a constantly changing threat. They added any attempts to tighten regulation will face industry opposition and political apathy.

Experts said medical devices vulnerable to accidental threats from software coding errors to criminal hacking include implantable devices, diagnostic and monitoring equipment and medical device data systems (MDDS). If exploited, vulnerabilities can compromise patient care and have almost certainly already caused patient deaths, said Mike Ahmadi, global director of critical systems security, Synopsys.

Any devices connected to a hospital network can be compromised, such as devices exposed to removable media containing malware, said Rob Suarez, head of Product Security at medical device firm BD. Infusion pumps or cardiac monitors which rely on a radio connection to transfer data can also be susceptible, said Tara Swaminatha, partner, Data Privacy & Cybersecurity, at law firm Squire Patton Boggs, Washington, DC. Hackers could not only read patient data coming from these devices, but also alter the output of a pacemaker or infusion pump, they said.

Implantable devices such as pacemakers have been proved vulnerable to attacks in academic situations, noted Swaminatha (Halperin et al, ‘Pacemakers and implantable cardiac defibrillators: Software radio attacks and zeropower defences,’ Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, May 2008). Fabien Roy, senior associate, Life Science, at law firm Hogan Lovells, Brussels, Belgium, confirmed one of his clients is addressing an unspecified vulnerability it has discovered in its implantable medical device.

Ahmadi said the extent of harm from medical device cybersecurity failures is hard to pinpoint, in part because hackers could erase unsecured device logs, which would make it hard to tell whether, for instance, a pacemaker had failed because of an attack rather than a mechanical issue, he said. Victoria Hordern, senior associate, Data Privacy, Hogan Lovells, London, UK, agreed there will be more hacking of medical devices in future, however, she believed targeted attacks on specific device users will be several years away.

Industry debates guidelines

Medical device cybersecurity is largely covered by FDA guidance, not regulation, experts agreed: guidance on premarket device submissions published in October 2014, and postmarketing device guidance issued in December 2016. The guidance includes some specific recommendations, such as premarket appropriate controls for device user identification and postmarket patch management, said Suarez.

However, Ahmadi said more prescriptive regulation is “extremely necessary” for better patient safety, since self-policing under FDA guidance has failed: Synopsys surveyed 6,000 medical device manufacturing staff and found 49% admitted to not following this guidance. The survey also found 67% of experts believe an attack on a medical device built by their organisation is likely to occur in the next year, he noted.

As a result, Ahmadi suggested US regulation should be introduced with more specific cybersecurity requirements for 510(k) approvals, verifiable via third-party certification, with manufacturers required to provide a report showing rigorous testing for vulnerabilities. Such a regulation could end, for example, numerous devices running on known flawed operating systems such as Windows XP, he said.

However, other experts disagreed with this call to tighten regulation and said current guidance is adequate, and more regulation would be counterproductive.

As evidence that the FDA is able to use current rules to enforce safety, one expert noted the FDA’s 12 April warning letter to Abbott Laboratories (NYSE:ABT), giving the company 15 days to address a fault which left Abbott’s Fortify, Unify, and Assura defibrillators potentially vulnerable to access by hackers who could drain the devices’ batteries.

"Some called for more stringent regulation, and others argued overly specific rules are impractical against a constantly changing threat"

Swaminatha and Suarez agreed more specific US regulatory prescriptions are unnecessary, noting the range of possibilities for medical device attacks is so broad, it is not possible to detail all possible precautions in the regulation. To craft regulation would be “dangerously slow,” said Suarez, since hacking methods move so fast that the regulations will never be up to date. Instead, manufacturers need to voluntarily and proactively update their risk management continuously, Suarez said.

In addition to the aforementioned guidelines, FDA can enforce safety via regulations which state unsafe devices should not be released, although they may not mention cybersecurity specifically, said Swaminatha. For instance, although there is no affirmative obligation for devices to require a password of a particular strength, if a weak password caused pacemakers to be attacked, FDA will certainly hold the manufacturer responsible, she said.

Hordern and Roy noted a similar regulatory situation in the EU: the April 2017 European Medical Device Regulations largely do not delve into prescriptive cybersecurity requirements at the level of patches and operating systems, instead requiring compliance with “the generally acknowledged state of the art” safety protections (Annex 1, Chapter 1). Manufacturers may choose to follow more detailed advice from ENISA, the European Union Agency for Network and Information Security, said Hordern.

Hordern and Roy said requiring compliance with state of the art safety precautions, without designating what these are in the regulation, is optimal because safety standards are constantly changing, so it would be counterproductive to specifically detail this. In the future, Hordern said, using block chain to encrypt data may be considered state of the art, but it is too early in the development of this technology, which prevents retroactive data alteration, to make it a requirement now.

WannaCry prompts regulation debate

Ahmadi said another necessary change is in response to ransomware attacks on internetfacing Electronic Health Records (EHRs) and medical device data systems (MDDS), such as the May WannaCry attack which hit part of the UK’s National Health Service, enabled by a failure to install a Microsoft patch.

MDDS were once regulated by the FDA as Class III medical devices but were downgraded in 2011 and deregulated in 2015, meaning they do not fall under FDA’s purview, Ahmadi said. The rising frequency of global ransomware attacks on hospitals – with 14 recorded in 2016, rising to 45,000 so far in 2017 – means MDDS must return to FDA purview, said Ahmadi.

However, Suarez disagreed, saying the industry’s response to WannaCry shows a positive trend in medical device cybersecurity, with BD preparing a public advisory with recommendations to customers within 24 hours. The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team also responded quickly with guidance, he said.

Experts on both sides of the debate said passing stricter requirements will be difficult. Software and device companies will naturally oppose stricter regulation that delays speed to market, said Ahmadi, and Roy added there is little appetite among legislators to fill in the gaps where the law is not explicit about cybersecurity methods. Ahmadi said it may be that only a catastrophic event which is so devastating it requires an industry-wide change in behavior will prompt regulatory change.

July 3, 2017

Fiona Barry

Reporter, London

Fiona previously worked in France as a journalist at William Reed Business Media, covering global manufacturing, regulatory and outsourcing news for the biopharmaceutical industry. She has also reported on global food and beverage companies. Fiona holds an M.A. in English and a B.A. in English and Philosophy from Bristol University. She speaks English and French