9 10 · manufacturers to combat hacking threats is to consider and evaluate cybersecurity vulnerabilities through the total lifecycle of the device, from building in cybersecurity
Post on 19-Mar-2020
2 Views
Preview:
Transcript
Cybersecurity is front and center in all industry
sectors now that practically everyone and
everything is connected to the internet. The
National Highway Traffic Safety Administration is
working on accelerating cybersecurity standards
for automakers now that today’s automobiles
are computerized (and some are self-driving),
creating the risk that hackers could remotely take
control of a moving vehicle. Recent headlines
have focused on hackers targeting law firms
by leaking confidential information, such as the
“Panama Papers,” or shutting down a firm’s email
and computer systems (and thus their billable
hours) through ransomware, as DLA Piper recently
experienced. Likewise, the retail and credit
industries have had their fair share of headlines,
including the recent Equifax hack in September.
Additionally, headlines featuring cybersecurity
concerns from hospital networks and device
manufacturers in the healthcare industry have
become more prevalent and pose significant
threats to patient safety, protected health
information, reputation, and even stock prices.
Having your credit card compromised is one thing;
but having a hacker steal your medical records
or access and remotely control your implanted
medical device is quite another. As devices become
increasingly connected and sophisticated, they
become more susceptible to cyber-attacks. In
order to protect patient safety as well as control
the negative publicity that stems from publicized
vulnerabilities, medical device manufacturers
need to proactively identify cybersecurity threats
and implement software or firmware updates to
mitigate threats.
WHAT MAKES THE HEALTHCARE INDUSTRY DIFFERENT?The healthcare industry is particularly vulnerable
to cyber-attacks in the form of unauthorized
access to protected health information (subject
to HIPAA and FISMA regulations), email phishing
and malware attacks on hospital networks, and
remote takeovers. device can allow attackers
to compromise an entire network. Hackers are
targeting the healthcare industry because patient
data is a valuable target, healthcare networks may
be less secure, there is an expansive victim pool,
and there is a lack of regulatory control on device
cybersecurity. Ransomware attacks on hospitals
are becoming more prevalent. This is a scenario
in which a hacker gains access to and encrypts
a hospital’s network and data, thereby forcing
hospital administrators to decide whether to pay
the hacker’s ransom demand in order to get the
encryption key or to shut down operations while
the authorities conduct an investigation.1
EXPECT TO SEE MORE WARNING LETTERS AND SAFETY ALERTS FROM THE FDA REGARDING FIRMWARE UPDATESThe most commonly described cybersecurity
threats to connected devices concern hackers
remotely accessing insulin pumps or pacemakers.
Pacemakers contain embedded computer
systems that can be vulnerable to cybersecurity
hacks. As medical devices become increasingly
interconnected via the Internet to hospital networks,
other medical devices, and smartphones, there is
an increased risk of exploitation of cybersecurity
vulnerabilities, some of which could affect how
a medical device operates. An episode of the TV
HAVING YOUR CREDIT CARD COMPROMISED IS ONE THING; BUT HAVING A HACKER STEAL YOUR MEDICAL RECORDS OR ACCESS AND REMOTELY CONTROL YOUR IMPLANTED MEDICAL DEVICE IS QUITE ANOTHER.
9 10
show Homeland depicted a scene where hackers
assassinated the Vice President of the United States
by remotely disabling his pacemaker. This scene
was reportedly inspired by Dick Cheney’s revelation
that he had the wireless function of his pacemaker
disconnected while he was Vice President because
he was concerned that hackers might access his
device remotely to harm him.2
On August 29, 2017, the FDA and Abbott, which
acquired St. Jude Medical earlier this year, issued
a safety notification encouraging patients with
implantable pacemakers to see their doctors
for firmware updates to the device hardware to
prevent their pacemakers from being hacked.3
Abbott issued a “Dear Doctor” letter the day
before describing the firmware update process.4
Firmware is a specific type of software embedded
in the hardware of a medical device. Although
there are no known reports of patient harm related
to cybersecurity vulnerabilities, the FDA’s safety
notification confirmed that the vulnerabilities are a
real threat because hackers could remotely harm
a patient by rapidly depleting the battery or by
sending inappropriate pacing or shock commands.
All medical device manufacturers should use
Abbott’s recent experience as an example of why
it is critical to proactively patch cybersecurity
vulnerabilities before hackers (or the FDA) create a
patient safety or PR nightmare.
A cybersecurity researcher brought potential
vulnerabilities to Johnson & Johnson’s attention
after identifying potential ways hackers could
exploit a cybersecurity flaw in its connected insulin
pump devices to remotely trigger additional doses
of insulin, which could be life-threatening in extreme
cases.5 On October 4, 2016, upon learning about
this vulnerability, Johnson & Johnson proactively
warned customers and provided advice on how to
fix the problem. This was reportedly the first time a
manufacturer had proactively issued such a warning
to patients about a cybersecurity vulnerability.6
manufacturer, the user, the Information Technology
system, hospitals, and Health Information
Technology developers and vendors.
Further, the FDA encourages hospitals and
device manufacturers to implement the National
Institute of Standards and Technology’s (NIST)
“Framework for Improving Critical Infrastructure
Cybersecurity.” The best way for device
FDA’S POSTMARKET GUIDANCETo help protect against the evolving threat of
hacking, the FDA has issued postmarket guidance
to medical device manufacturers for continued
monitoring, reporting, and remediation of device
cybersecurity vulnerabilities.7 Key takeaways
from the new guidance include: (1) Medical
device manufacturers should monitor, identify,
and address cybersecurity vulnerabilities through
the establishment of postmarket cybersecurity
management processes; (2) A risk-based
framework should be used for assessing when
cybersecurity-related device changes should be
reported to the FDA; and (3) Cybersecurity risk
management is a shared responsibility among
stakeholders that include the medical device
manufacturers to combat hacking threats is to
consider and evaluate cybersecurity vulnerabilities
through the total lifecycle of the device, from
building in cybersecurity controls during
development to continuously monitoring and
patching threats once the product is being used
by patients. The FDA’s guidance indicates that
manufacturers are not required to report to the
FDA routine cybersecurity updates and patches
(considered device enhancements), as long as
the risk of patient harm is controlled. In assessing
uncontrolled risk, “manufacturers should consider
the exploitability of the vulnerability and severity of
patient harm if exploited.” The FDA does not intend
to enforce reporting requirements under CFR 806
11 12
if all of the following circumstances are met: (1)
No known serious adverse events or deaths are
associated with the vulnerability; (2) Remediation
occurs within a tiered 30- and 60-day timeline;
and (3) The manufacturer actively participates as a
member of an ISAO that shares vulnerabilities and
threats that impact medical devices. Importantly,
device manufacturers may need to consider
implementing cybersecurity controls for legacy
devices that are connected to networks.
BEST “CYBER HYGIENE” PRACTICES: IDENTIFY, PROTECT, DETECT, RESPOND AND RECOVER.Taking into consideration the FDA’s Postmarket
Guidance, medical device manufacturers
and healthcare systems should implement
best “cyber hygiene” practices to establish a
proactive, comprehensive risk management
program to mitigate, monitor, and protect against
cybersecurity threats, including:
1. Automated monitoring of cybersecurity information
sources for identification and detection of
cybersecurity vulnerabilities and malware across all
medical devices, especially those devices that are
connected to networks;
2. Maintaining robust software lifecycle design
verification and validation processes that include
mechanisms for identifying and assessing risks, as
well as updating and patching to protect against new
vulnerabilities;
3. Educating and training company leadership and
employees on understanding, assessing, and detecting
the presence and impact of a vulnerability (such as
being aware of email phishing schemes and how to
avoid them);
4. Engaging in collaborative information sharing for
cybersecurity vulnerabilities and threats;
5. Proactively communicating cybersecurity updates and
guidance to patients and healthcare providers; and
6. Establishing an incident response and corrective
action plan for handling a cyber-attack if one
occurs, including investigation, managing the event,
preserving the evidence, complying with privacy laws,
and notifying the applicable regulators.
One thing is very clear: manufacturers need
to understand, assess and detect the level of
potential risk that cybersecurity vulnerabilities
pose to patients and then implement processes to
continuously monitor and rapidly detect and patch
those vulnerabilities before they are exploited.
Manufacturers have the obligation to ensure that
connected legacy devices are still able to protect
patient data and mitigate cybersecurity threats.
Failure to properly assess cybersecurity risks of
connected devices during the premarket phase
is likely to lead to the FDA rejecting or delaying
devices from coming to market. Similarly, failure
to continuously assess and patch vulnerabilities of
connected devices already on the market is likely
going to result in FDA warning letters or other
enforcement action, negative publicity, damage
to reputation and patient trust in the company,
and, most importantly, potential harm to patients.
Lastly, healthcare systems should be cognizant of
the devices that are connected to their networks
and have processes in place for monitoring and
detecting cybersecurity threats.
1. Should Hospitals Pay Up Following A Ransomware Attack? The Answer is Far From Simple (Evan Sweeney, April 27, 2017), http://www.fiercehealthcare.com/privacy-security/should-hospitals-pay-up-following-a-ransomware-attack-answer-far-from-simple.
2. Medical Device Cybersecurity: Maybe Dick Cheney Was Not So Paranoid After All, Drug & Device Law Blog (Steven Boranian, Sept. 4, 2015), https://www.druganddevicelawblog.com/2015/09/medical-device-cybersecurity-maybe-dick.html.
3. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm.
4. https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker-firmware-update-doctor-letter-aug2017-us.pdf?la.
5. J&J Warns Diabetic Patients About Hacking Risks of Insulin Pumps (Michelle Cortez, Oct. 4, 2016), https://www.bloomberg.com/news/articles/2016-10-04/j-j-warns-diabetic-patients-about-hacking-risks-of-insulin-pumps.
6. J&J Warns Diabetic Patients: Insulin Pump Vulnerable to Hacking (Jim Finkle, Oct. 4, 2016), http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e/jj-warns-diabetic-patients-insulin-pump-vulnerable-to-hacking-idUSKCN12411L.
7. Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Issued on Dec. 28, 2016), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.
PAUL S.ROSENBLATT
13 14
top related