Recently, Thompson Coburn’s Life Sciences Decoded blog described several FDA initiatives to increase the safety and reliability of the emerging connected device market and discussed data privacy as it pertains to medical devices. The FDA’s PreCert program aims to fast-track innovation while respecting product reliability and integrity and the agency’s Digital Health Plan provides the FDA with tools to encourage the development of reliable, connected and digital devices.
However, security issues with connected devices continue. On March 13, 2018, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is a part of the Department of Homeland Security, released an advisory notice about a vulnerability in GE-made medical devices. This alert deals with a vulnerability related to hard-coded default user credentials in these devices. Although, with manufacturer assistance, these default credentials can be changed, the vulnerability “may allow a remote attacker to bypass authentication and gain access to the affected devices.” The impacted devices are medical imaging and radiological systems, associated software applications, and workstations for viewing the generated imaging. As a result, this incident provides a good example on how such a vulnerability can impact a wide range of medical devices, both hardware and software.
ICS-CERT has worked with the National Institute of Standards and Technology (NIST) to provide individual vulnerability alerts for each of the impacted GE devices:
Furthermore, ICS-CERT has determined that information about this risk is widely and publicly available. As a result, it is imperative that impacted device owners contact GE for information on remediating the issue. However, from a privacy perspective, there are additional concerns.
Risks of device compromise
Compromised connected medical devices pose significant risks to the companies that use them. Devices like those listed above create medical records tied to patients and if these records are available to an unauthorized user on a compromised system, these incidents may trigger a HIPAA-related breach requiring individual and HHS-OCR notification responsibilities. Furthermore, the compromise may impact the integrity and accuracy of the device’s performance, and as a result, could significantly impact patient treatment and safety.
The compromise may also extend beyond the device itself. Networked devices that are accessible to attackers may be a starting point from which they can pivot to attack other devices, servers or workstations on the network to collect data, compromise systems, devices, or launch ransomware attacks. Owners should consider the possibility that their device has been compromised and conduct a thorough internal review of their network’s settings, network traffic relating to the device, and any unauthorized remote connections to the device.
FDA addresses risk/privacy concerns as part of its Digital Health Program
The FDA has clearly stated that its Digital Health Program has been designed to not only allow for better disease management through information and patient participation but to create more efficient workflow and, therefore, more efficient clinical practices through the use of technology. The program is working to develop more secure pathways for patient and treatment information to avoid situations with medical software devices as is currently at issue with the GE technology, a device with a software component. This new risk-based approach by the FDA highlights concerns raised by data breaches/security lapses and through its guidance documents is helping the industry design an acceptable secure information sharing pathway. This is consistent with the mandates under the 21st Century Cures Act. In addition, the FDA is expected to issue further guidance within the first quarter dealing with its regulation of digital devices, what it will regulate and delineating further safety concerns. It will be interesting to see whether or not this GE issue will impact these guidances.