By Soniya Shah
It’s no secret that attacks on the security of data and privacy are occurring with increasing frequency, which is alarming no matter what the data is. However, healthcare is one of the most frequently targeted sectors, and among those least equipped to handle when an attack happens, with data breaches that cost the industry about $5.6 billion a year. Particularly, attacks on medical devices pose a new concern in the Internet of Things world. Healthcare organizations have a higher sense of urgency is accessing their systems, since patient data can be time-sensitive. It’s creepy to think that a pacemaker or MRI scanner could be affected with malware. Malware software can do anything from deleting data to copying it, with a wide range of what can happen in between, including corrupting the data, extorting it, and modifying it. It’s easy to see why criminals would want to take advantage of this kind of information. Medical records contain the most intimate details about a person and that information can be used in identity theft.
In a time where healthcare organizations are more connected to technology than ever before, it is easier than ever to make an attack on the healthcare industry. Previously, medical devices only transmitted to the device itself and were not connected to other networks. As technology has evolved, patient information is now located in electronic records, where it can be accessed remotely. As part of this evolution, medical devices have become part of the ecosystem, and act as computers that are part of a larger network used for diagnosis, treatment, and patient monitoring. The healthcare industry as a whole has been slower to respond to attacks with updates to cybersecurity.
In response to concerns regarding cybersecurity and medical devices, the FDA released new guidance measures in October 2018 instructing device manufacturers on labeling, design, and documentation. Critics worry that because these measures are nonbinding, they will not force the industry to change. Since medical devices have not been manufactured with cybersecurity in mind, the burden will fall to hospitals and healthcare organizations to ensure their equipment is secure. Comments on the draft guidance are due March 18, 2019.
In the guidance, the FDA identified two tiers of devices based on the corresponding cybersecurity risk. Tier 1 devices are capable of connecting to a network or the internet and include devices such as pacemakers, dialysis devices, infusion and insulin pumps, and the supporting connected systems that interact with these devices such as home monitors and those with command and control functionality such as programmers. Tier 1 device manufacturers should include design documentation to show that the device is trustworthy and secure based on the NIST Framework for Improving Critical Infrastructure Cybersecurity.
Tier 2 devices are not deemed high risk because they are not connected wirelessly or to the internet, but they still pose a risk for exploitation. These submissions should include documentation that the manufacturer incorporated all the security controls recommended for Tier 1 devices, or provide reasoning for why the controls are not necessary.
Overall, the recommendations use a risk-based approach to the design and development of protections in medical devices. These recommendations should encourage manufacturers to think about the lifecycle of their designs and to create devices that can be updated to thwart new security threats. Design controls can include authorization to access the device, time-limited sessions, and layered authorization (meaning that technicians have different access than a physician). Further, the FDA strongly recommends proper labeling to warn both patients and providers about the potential risks involved.
It’s also clear that government leaders are paying attention. United States Senator Mark R. Warner (D-VA), who is a co-chair of the Senate Cybersecurity Caucus wrote on February 25th to leaders seeking details regarding the vulnerability around the healthcare sector. Sen. Warner addressed the issues the field faces – namely the gaps in oversight that could lead to malicious attacks.
It’s hard to say what’s next and there will likely be more guidelines and updates after the comments are submitted to the FDA. Whether the FDA will move to make regulations rather than suggestions is an important question for the future.