On February 5, 2016, U.S. Senator Barbara Boxer of California sent a letter to five of the country's largest medical device manufacturers, expressing "serious concerns that the cybersecurity vulnerabilities in medical devices are putting the health and safety of patients in California and across the country at risk." In the open letter, Senator Boxer asked the CEOs of these manufacturers, in light of their significant share of the medical device market, to describe "the steps your companies are taking, or plan to take, to address the growing threat of medical device cybersecurity vulnerabilities."
Senator Boxer's February 2016 letter is only the latest instance of increased government scrutiny on this subject. Medical device companies are innovating their products into the Internet-of-Things at a time of increasing public worry over cybersecurity. Both the Food and Drug Administration (FDA) and the Department of Homeland Security have studied the issue, although neither agency has reported any instances of patient injury or death due to a medical device being hacked.
The Potential for Cyber Attacks and Privacy Issues
Whether the threat is imminent or far-fetched, the idea of a cyber attack inflicting bodily injury or death proves to be a captivating thought. Such an attack was manifested in popular culture in a 2012 episode of the Showtime television program Homeland, in which terrorists assassinate the Vice President by hacking into his pacemaker and causing a heart attack. (A real-life Vice President, former VP Dick Cheney, later commented on the episode and acknowledged that his doctors had disabled the wireless capabilities in his own pacemaker in 2007, as a security precaution.)
Networked medical devices also present potential privacy issues under the Health Insurance Portability and Accountability Act (HIPAA). For example, when networked medical devices are disposed of, they need to be wiped or destroyed, so there's no risk of improper disclosure of protected health information (PHI).
Many hospitals and other healthcare providers focus primarily on their information technology networks and the computers that connect to them when thinking about the security of patient information. Networked medical devices, because they are nontraditional and FDA-regulated, may not be included in the HIPAA risk assessments and security measures implemented by healthcare providers. Further, not all networked medical devices collect PHI. Devices that collect information about a patient but don't include any means by which the information can be attributed to a specific patient likely aren't covered by HIPAA. Similarly, medical devices that store only information entered by patients, such as some mobile medical apps, may fall outside of HIPAA as well. Accordingly, healthcare providers must determine which of their medical devices are subject to HIPAA, and which are not.
Recent Regulatory Actions
Regulators are looking closely at medical device cybersecurity, and Senator Boxer's letter suggests that Congress may be taking an interest as well. On the regulatory front, recent actions include the following:
- In October 2014, the FDA issued final guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, nonbinding recommendations that encourage certain controls in the premarket design and development of medical devices that connect electronically to provider networks, to the Internet, or to each other.
- Around the same time, press reports revealed that the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) was investigating potential cyber vulnerabilities in various medical devices, including implantable cardiac monitors, pacemakers, infusion pumps, medical imaging systems and hospital networks.
- In July 2015, following warnings from ICS-CERT, the FDA issued an alert to providers recommending that they discontinue the use of a particular computerized infusion pump due to cybersecurity vulnerabilities. The FDA concluded that unauthorized users with access to a hospital's network could control the device and change the pump's dosage delivery. Neither ICS-CERT nor the FDA reported any such attacks having occurred.
- In October 2015, the Office of the Inspector General (OIG) of the Department of Health and Human Services released its 2016 Work Plan, which, among other things, stated that the OIG would examine whether the FDA's oversight of hospitals' networked medical devices is sufficient to protect electronic protected health information (ePHI). The OIG made specific mention of the risks of computerized medical devices, such as dialysis machines, radiology systems and medication dispensing systems that are integrated into a hospital's electronic health records.
As of today, the FDA is actively developing additional positions on cybersecurity. In January of this year, the FDA issued draft guidance for public comment on Postmarket Management of Cybersecurity in Medical Devices, a nonbinding set of proposals for steps manufacturers can take to monitor and improve cybersecurity of medical devices after they have been released to the market. In general terms, the draft guidance includes the following recommendations, among others:
- Recommended processes for assessing the exploitability of a cybersecurity vulnerability.
- Processes for assessing the severity of potential health impacts, if the cybersecurity vulnerability were to be exploited.
- Systems and standards for determining whether the risk to essential clinical performance of a device is controlled (acceptable) or uncontrolled (unacceptable).
- Recommendations for remediation efforts, that is, changes and control actions to address or mitigate vulnerabilities.
- Regular reporting to the FDA, including of newly acquired information concerning cybersecurity vulnerabilities and device changes made as part of cybersecurity routine updates and patches.
Senator Boxer praised the draft guidance in her February 2016 letter. Written comments to the FDA on the draft guidance are due April 21, 2016.