The Inherent Risks, Impacts of Security Decisions, and Practical Approaches– Navigating the Medical Device Field and Vulnerabilities of Medical Devices

October was National Cyber Security Awareness Month, which is part of an annual campaign to raise awareness about the importance of cybersecurity and educate both the public and private sectors about maintaining safety in our interconnected world. Each week in October, the National Cyber Security Alliance, in partnership with the Department of Homeland Security, releases a series of tips focused on helping people protect their online activities and increasing cybersecurity awareness. Each week focuses on a specific cybersecurity theme targeted towards cybersecurity activities relevant to government, industry, and individual citizens.

Following up on some of the issues raised, we will explore in a series of three blog posts: (1) the specific vulnerabilities and risks inherent with embedded and interconnected medical devices, (2) cybersecurity and attacks on medical devices, and (3) practical approaches companies may employ both before and after a device is marketed. This first post in the series serves as an introduction to navigating the medical device field and the specific vulnerabilities and risks inherent with embedded and interconnected medical devices.

Introduction

In today’s modern society, recent technological advances have resulted in transformations in health care delivery, which improve health care and increase the ability of health care providers to treat patients. For example, wireless medical devices such as pacemakers are being implanted in patients, accompanied by software which allows the health care provider to receive and transmit information directly to the device from a remote location. But these devices aren’t without risk. As these medical devices become increasingly interconnected with other clinical systems, they become more vulnerable to both intentional and unintentional misuse, as well as cybersecurity attacks.

The term “cybersecurity” is used to cover a broad spectrum of context-specific adversarial challenges.[i] “Cybersecurity entails the safeguarding of computer networks and the information they contain from penetration and from malicious damage or disruption”.[ii]

While fictional, the popular television show “Homeland” portrayed a medical device cybersecurity hack, in which hackers remotely disabled the Vice President’s pacemaker, killing him. But the fear of medical device hacking by terrorists took a real-life turn for former Vice President Dick Cheney, who had his doctors disable his pacemaker’s wireless capabilities when it was implanted in 2007, to prevent against a possible assassination attempt. The once seemingly futuristic exploit of implanted medical devices is no longer science fiction, and has been successfully demonstrated in devices such as the insulin pump and pacemakers. And while the risk that medical devices carry of being vulnerable to cybersecurity attacks cannot be completely eliminated, it can, and should, be managed.

Navigating the medical device field

The safety, effectiveness, and security of medical devices is regulated by the Food and Drug Administration (“FDA”), among other regulatory bodies. These regulatory bodies have acknowledged the seriousness and enormity of the problem of medical device cybersecurity by publishing recommendations for managing cybersecurity risks and protecting patient health information, to assist manufacturers in their submissions for FDA approval of medical devices. But who has an equal, if not greater responsibility for maintaining device functionality, integrity and confidentiality of information, patient privacy, and device and information availability, to prevent adverse effect on patient safety? Such a responsibility is shared equally by manufacturers, health care providers, and patients.

So, what exactly is a “medical device?” Just as the technology available in our networked and mobile world progresses, so does the fluid definition of “medical device.” The FDA (comprehensively) defines a medical device as:

“an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:

(1) recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,

(2) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or

(3) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”[iii]

While the definition may appear almost too all-encompassing to the unfamiliar or untrained eye, the definition is inclusive of the ten to fifteen million (and growing) medical devices within United States hospitals. It includes, for example, an infusion pump attached to a hospital bed, yet excludes health and wellness applications that run on mobile devices.

Vulnerabilities of medical devices

A vulnerability in a medical device is a weakness within that device, which may be exploited in the device’s information system, system security procedures, and internal controls, or may be exploited through implementation. A threat is the potential for a vulnerability to be exploited, the existence of which is determined by taking the likelihood of the threat actually occurring, juxtaposed with the severity of any potential adverse impact.[iv] The term “exploited” means that a vulnerability or vulnerabilities have been exercised or exposed either accidentally or intentionally, potentially impacting the essential clinical performance of a medical device or the system to which that medical device is connected or networked.[v] However, a vulnerability is not the same as a breach, inasmuch as a breach is the actual disclosure of financial or protected health information (“PHI”) to a third-party unauthorized user.

The increased use of wireless network connectivity and connection of devices to the Internet, coupled with the desire to make use of the information collected on a medical device in other health systems, has made medical devices more open, and subsequently more vulnerable, to cybersecurity threats. The FDA has become aware and warned of potential cybersecurity vulnerabilities and incidents that may have a direct impact on medical devices through hospital network operations, which include: networked medical devices being infected and/or disabled by malware; the use of wireless technology (i.e., cell phones, tablets, hospital computers, etc.) to access patient data, monitoring systems and implanted patient devices; uncontrolled distribution of passwords for privileged device access; failure to provide timely security software updates and patches to address vulnerabilities in older medical devices and networks; and security vulnerabilities in off-the-shelf-software that are not preventing unauthorized device or network access (i.e., use of plain text code, lack of authentication, hard-coded passwords, poor coding, etc.).[vi]

Medical devices are vulnerable to attacks for a myriad of reasons. One reason is that unauthorized third parties or hackers are provided information that may allow them to compromise a medical device via public information provided by certification agencies, device manuals and patent databases. A second reason is that not all operating systems are compatible with one another, which leads to misconfiguration and vulnerabilities through gaps in security. Attacks may also involve medical devices that are already compromised, which can be used to attack other health care organization networks. Having less encryption on the medical devices, while beneficial for emergency access, also presents opportunities for attacks. Other reasons include late or lack of software updates and/or basic security features to prevent tampering, as well as there being a lack of knowledge, awareness, and education on cybersecurity issues and best practices.[vii]

For more on cybersecurity and attacks on medical devices, and best practices to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks) stay tuned for parts two and three of this series, coming soon.