Or: how do the new FDA regulations regarding cyber security of medical device protect the public?
Author: Ofer Yifrach-Stav
In the bustling bank, customers lined up patiently, absorbed in their financial transactions, and the tellers diligently carried out their duties behind the counters. Philip M. Masterson, the bank manager, walked across the polished marble floor, his attention divided between the bustling scene and the paperwork in his hands. It was a typical day, filled with the rhythmic hum of conversations and the occasional ringing of phones.
Suddenly, the air was pierced by a command that cut through the serene atmosphere, “Attention, everyone! This is a robbery!” The vibrant bank froze in an instant, customers and employees turning their heads in disbelief. Three individuals stood near the entrance, their demeanor calm yet resolute. They lacked the usual masks or weapons associated with bank heists, but their intent was unmistakable.
As the startled whispers filled the room, the leader of the group locked eyes with Philip, his gaze firm and unwavering. “Ah, Mr. Masterson, how fortunate for us to have the opportunity to meet you,” he spoke with an air of calculated confidence. “You see, we may not be armed in the conventional sense, but I assure you, I am armed with something far more powerful.”
Curiosity and fear danced in Philip’s eyes as he tried to comprehend the situation. Before he could utter a word, the intruder lifted his phone, displaying the screen with a wicked grin. “This little device controls the beating of your heart, my dear bank manager. With a simple tap, I can send an electric impulse through your pacemaker, bringing you to your knees or, if I choose, ending your life.”
This story was written as science fiction; however, while unmistakably fiction, to term it “science fiction” is questionable. The truth is, the technology to control a person’s heart with measures as simple as a Wi-Fi connected cellphone already exists, and without the appropriate safety measures, medical device access in the wrong hands could easily become a terrifying reality. More and more, medical devices such as pacemakers, insulin pumps, and other devices which control fundamental body functions are connected to the internet, and just like other devices, can be hacked. Unauthorized access to an implantable medical device, allowing an attacker to manipulate its settings or functionality, can potentially lead to life-threatening consequences for the patient, and moreover, this vulnerability can be exploited for ransom or coercion.
Other increasingly plausible scenarios go beyond mere science fiction, posing significant risks to both individual patients and entire healthcare systems. For instance, malicious actors could infiltrate a healthcare facility’s network of interconnected medical devices, giving them the power to disrupt or manipulate the administration of medications, treatments, or therapies to multiple patients simultaneously. Similarly, the security breach of a remote monitoring system designed for patients with chronic conditions could allow attackers to falsify or manipulate incoming data, resulting in incorrect diagnoses, delayed interventions, or inappropriate treatments. Furthermore, tampering with the firmware or software of critical diagnostic imaging systems, such as MRI or CT scanners, might yield manipulated or inaccurate imaging results, potentially leading to misdiagnoses or unnecessary medical procedures. Exploiting vulnerabilities in a hospital’s electronic health records (EHR) system could have severe consequences, including the modification or deletion of critical patient information, causing care coordination confusion, medication errors, or treatment delays. Lastly, interference with communication and data transmission from wearable medical devices, like cardiac monitors or glucose sensors, may result in delayed or inaccurate notifications of critical health conditions for patients dependent on continuous monitoring.
The healthcare sector has witnessed a notable rise in cybersecurity attacks and data breaches, with a substantial impact on millions of individuals globally. An example of this is the 2022 network server breach at Shields Health Care Group[i], which affected up to two million individuals, compromising their personal information, medical records, and billing details. These breaches pose a number of significant risks, including to patient privacy, intellectual property, manufacturing processes, brand reputation, and even patient safety.
Between 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the Health and Human Services (HHS)’s Office for Civil Rights[ii]. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records. Put into perspective, this number is equal to more than 94.63% of the entire population in the U.S. in 2021. In 2018, the rate of reports of healthcare data breaches of 500 or more records grew to one per day. This number continued to rise, and by 2021 each day an average of 1.95 healthcare data breaches of 500 or more records were reported.
The recent surge in cybersecurity breaches has predominantly involved the exposure of medical records, compromising patient privacy. However, a pressing issue arises concerning the security of Internet of Things (IoT)-based medical devices, like pacemakers and insulin pumps, which pose significant risks to patient safety. These vulnerabilities can result in life-threatening outcomes, such as the administration of lethal doses or the disruption of vital functions. According to a 2022 FBI report[iii], a concerning 53% of digital medical devices in hospitals, including insulin pumps, intracardiac defibrillators, mobile cardiac telemetry devices, and pacemakers, were found to have critical vulnerabilities.
In order to mitigate those risks, the FDA has issued guidance on the cybersecurity of medical devices, emphasizing best practices for manufacturers.
The FDA has been ensuring the quality and safety of medical devices since 1976 under the authority granted by the Federal Food, Drug, and Cosmetic Act (FD&C Act). The agency’s oversight encompasses various aspects, including design, manufacturing processes, materials, performance testing, labeling, and post-market surveillance. These measures have been put in place to ensure the safety, effectiveness, and compliance of medical devices with established standards. However, in recent years, the FDA’s focus has increasingly turned to the critical issue of cybersecurity in medical devices, recognizing the growing importance of protecting these devices against potential cyber threats. As Andrea Palm, the Deputy Secretary of the Department of Health and Human Services (HHS), stated in a press release in April 2023, “Cyber-attacks are one of the biggest threats facing our healthcare system today, and the best defense is prevention[iv].”
Cybersecurity is defined as “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.[v]”. Similar to other computer systems, medical devices are susceptible to security breaches that can compromise their safety and functionality. Cyber attackers can be categorized into three groups: cyber-terrorists, driven by ideology and seeking to promote their cause; cyber-criminals, motivated by financial profit; and cyber-spies, sponsored by nation-states and operating akin to independent intelligence agencies.
A comprehensive analysis of data breaches reported in the Privacy Rights Clearinghouse database between 2015 and 2019ii revealed that the healthcare sector accounted for a significant 76.59% of all recorded breaches. This signifies that the healthcare industry experienced three times as many breaches as the combined sectors of education, finance, retail, and government.
On December 29, 2022, the Consolidated Appropriations Act, 2023 (“Omnibus”) was signed into law. Section 3305 of the Omnibus — “Ensuring Cybersecurity of Medical Devices” — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices (section 3305).
So what does it mean?
The updated guidelines require medical device applicants or manufacturers to include, as part of their premarket submission, comprehensive plans for monitoring, identifying, and addressing cybersecurity concerns. Applicants must also provide regular security updates and disclose the software used in their devices. Until October 1, 2023, the FDA will not “refuse to accept” (RTA) decisions, but work with the applicant on addressing those issues. As of this date, however, medical device manufacturers are expected to be familiar with the new regulations regarding cyber security for medical devices, and to address vulnerabilities as part of the device design. These regulations apply specifically to what the FDA now defines as ‘cyber device’ which is any device that:
- includes software validated, installed, or authorized by the sponsor as a device or in a device;
- has the ability to connect to the internet;
- contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.
In order to support the cybersecurity documentation in submissions, the FDA has recognized consensus standards, including AAMI/UL 2900-1:2017, which contains technical requirements on cybersecurity for network connectable products, and IEC 810001-5-1: 2021, which defines the life cycle requirements for development and maintenance of health software needed to support conformance to IEC 62443-4-1 – taking the specific needs for health software into account.
By implementing these measures, the FDA aims to enhance the security and resilience of medical devices against potential cyber threats. It is crucial for medical device manufacturers to adhere to these regulations and industry standards to safeguard patient safety, protect sensitive information, and maintain the integrity of healthcare systems in the face of evolving cybersecurity challenges.
Conclusion
Moving forward, it is imperative for medical device manufacturers to proactively address cybersecurity concerns in their products. They should ensure that comprehensive cybersecurity plans are integrated into the design and development stages of their devices. This includes conducting thorough risk assessments, implementing robust security measures, and regularly updating and patching device software to address vulnerabilities. Manufacturers should also establish effective mechanisms for monitoring and detecting potential cyber threats, as well as establish incident response plans to swiftly mitigate and contain any breaches. Furthermore, staying informed about emerging cybersecurity standards and best practices is crucial to continuously improve the security posture of medical devices. By prioritizing cybersecurity at every stage of the device lifecycle, manufacturers can instill greater confidence in the safety and integrity of their products, safeguard patient well-being, and contribute to the overall resilience of the healthcare ecosystem.
About the Author
Ofer Yifrach-Stav has 15+ years of experience in the pharmaceutical and medical device industry, focusing on compliance, quality assurance and validation aspects. He has a BSc in Biotechnology Engineering and an MSc in Environmental Engineering. Ofer is a Certified Quality Auditor of the American Society of Quality, and an ISO Lead Auditor in ISO 9001:2015, ISO 13485:2016, and ISO 27001:2022. In recent years he has gained expertise in information security by working towards a PhD in Computer Science.
iUnited States. Department of Health and Human Services. Office for Civil Rights. Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021. https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf
iiHealthcare Data Breach Statistics – Latest Data for 2022. HIPPA Journal. (2022). https://www.hipaajournal.com/healthcare-data-breach-statistics/#:~:text=5%2C150%20data%20breaches%20have%20been,Rights%20on%20January%2017%2C%202023
iiiUnpatched and Outdated Medical Devices Provide Cyber Attack Opportunities. Federal Bureau of Investigation, Private Industry Notification. (2022).https://www.ic3.gov/Media/News/2022/220912.pdf
ivMuoio, D., HHS releases free online cybersecurity training, best practice reports for healthcare. Fierce Healthcare. (2023). https://www.fiercehealthcare.com/health-tech/hhs-releases-free-online-cybersecurity-training-best-practice-reports-healthcare
v NIST, Computer Security Resource Center, Gloassry – Cybersecurity. https://csrc.nist.gov/glossary/term/cybersecurity