Cyber Security Threats Related to Medical Devices
Medical devices are subject to numerous regulations and an intensive approval process to verify their safety for patient use–but what about the software that powers these devices? How secure is the software that operates insulin pumps or pacemakers? In addition to the requirement that medical device software meet general Food & Drug Administration (“FDA”) standards, the FDA has provided guidance to the industry regarding cybersecurity requirements of software.
However, medical device software is not subject to a comprehensive cybersecurity regulatory framework. As medical devices become more interoperable and remotely accessible, the likelihood of a hack increases. In 2018, CBS news aired a story in which security researchers demonstrated the hacking of a pacemaker. Because cyber security threats are ever evolving, all medical devices are at risk, but medical devices most at risk are devices that run on legacy software. Legacy software is software that still operates, but is out of date or obsolete, meaning that this software is not regularly updated to mitigate cyber security risks.
Hacking of medical devices poses the primary concern of patient safety, as the hacking may include manipulating the operation of a device, but this hacking may also create a broader security risk. Medical devices may operate on an internet of things platform, where a hacker’s access to a device running on such a platform may provide greater access to the hospital’s system. If a medical device operating on an internet of things platform is compromised, a hacker may be able to further infiltrate other applications operating on the platform, and potentially other systems of the hospital. Therefore, medical devices may be seen as the easiest target to exploit, which may have ramifications for not only the particular medical device targeted, but the hospital at large.
While there have been no confirmed medical device hacks, developing a comprehensive cyber security framework applicable to the medical device industry is essential for maintaining patient safety. In 2018, the FDA put forth a Medical Device Safety Action Plan (the “Action Plan”) aimed at addressing such a framework. The Action Plan includes consideration of requirements for mandatory software updates and patches in the premarket medical device phase, and the creation of a Cybermed Safety (Expert) Analysis Board to serve as a public-private partnership in assessing patient risk, consulting in device development, and investigating suspected device compromises. The Action Plan complements 2016 guidance from the FDA regarding cyber security of medical devices, which is the start of a strong framework for the protection of medical device software moving forward.
A criticism of the FDA’s guidance thus far has been its inability to address handling of legacy software on medical devices, where cyber security risks may be the greatest. Recently, the FDA announced a memorandum of agreement between the FDA and the Department of Homeland Security to share information and coordinate responses for potential or confirmed cyber security threats arising from medical device software. Continuing forward, addressing the cyber security of medical device software will need to be both forward and backward looking to most effectively protect patients’ safety.