What you need to know about the FDA’s latest approach to healthcare technology—particularly as it relates to cybersecurity

By Aine Cryts 

Avid watchers of Showtime’s award-winning series, “Homeland,” were horrified to witness the hacking of the fictional U.S. vice president’s pacemaker after its serial number was used to activate the device wirelessly. Because of this hacking, which took place during the show’s second season in 2012, the person who hacked into the pacemaker induced a heart attack, ultimately killing the vice president.

Back in the real world, former Vice President Dick Cheney revealed in 2013 that his care team had turned off the wireless feature of his pacemaker, which had been implanted in 2007. That’s because his doctors were afraid that a similar hacking of Cheney’s pacemaker could occur at the hands of a terrorist.

“Unfortunately, the nightmare scenario that was depicted on the TV show is a reality,” says Jonathan Langer, CEO of Medigate, which helps healthcare providers identify and protect Internet of Medical Things (IoMT) devices on their networks. “The fact of the matter is, just like any organization is prone to cyberattacks, hospitals and healthcare systems across the globe are even more prone to an attack due to the fact that medical devices are installed on their network.”

In many cases, healthcare organizations lack cyberattack mitigation capabilities. That renders them “soft targets,” he explains. Because of what’s been learned about the WannaCry ransomware attacks in 2017, hackers are increasingly aware of healthcare organizations’ vulnerability, adds Langer.

Darshan Kulkarni, JD, PharmD, vice president of regulatory strategy and policy at Synchrogenix, which provides advice to clients on a variety of regulatory and corporate matters related to bringing products to market, agrees that it’s possible for a hacker to gain access to a patient’s medical device—in much the same way that a person with bad intentions could gain access to a much simpler device, such as a Bluetooth-connected blood glucose monitor.

One entity that is taking these risks seriously is the U.S. FDA—so much so that the agency issued draft guidance on this topic in October. Dubbed, “Draft Guidance for Industry and Food and Drug Administration Staff,” the federal agency’s guidance is “intended to provide recommendations to the industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk,” according to the draft guidance document.

After all, the document adds, “These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.” (The FDA is asking for comments on the draft guidance by March 18, 2019.)

The FDA issued this draft guidance at the time due, it says, to the “rapidly evolving landscape, and the increased understanding of the threats and their potential mitigations.” Also in October, the FDA released a cybersecurity playbook alongside the MITRE Corp., a Bedford, Mass.-based nonprofit that manages research projects for the U.S. government.

The guide, titled “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook,” helps healthcare delivery organizations and other stakeholders to plan for and respond to cybersecurity incidences associated with medical devices, according to FDA officials. Such efforts can go a long way in protecting patients, they say.

Drawing upon the FDA/MITRE’s playbook, Medigate’s Jonathan Langer says healthcare providers must prioritize these three activities:

  1. Conducting an inventory of their medical devices
  2. Ensuring the careful configuration of firewalls and prevention capabilities
  3. Developing an enterprise-wide detection processes

For a long time, medical devices haven’t been viewed in the same way as computers or printers—specifically, in terms of being networked, says Langer. His advice? Healthcare organizations must apply the basic fundamentals of “cybersecurity hygiene”—which, he defines as networking and protection capabilities—to combat the cybersecurity risks associated with medical devices.

The lack of a comprehensive inventory of the healthcare organization’s medical devices is “a blind spot,” says Langer. So, too, is a solid understanding of the medical devices that are connected wirelessly and, even more importantly, the devices that need to be protected. These activities must take precedence, he adds.

An integral part of a healthcare organization’s cybersecurity strategy is patching, adds Langer. “Patching medical devices is different than with laptops or any other device. It is complicated and requires updates that are done by the manufacturer”—something, he says, that is a “missing piece at many healthcare facilities.”

While he acknowledges that patching is difficult in the medical arena, it’s important to manage this activity carefully using automated systems. Equally important is outreach to medical device manufacturers so that patches, once available, are included in the hospital’s overall cybersecurity hygiene in a timely and organized manner.

The Importance of Shared Responsibility

Cybersecurity related to medical devices is shared among various stakeholders in the hospital, including HTM professionals, information technology and information security personnel, and those who are actually designing the equipment: the medical device manufacturers.

“This is not an easy thing. These [internal hospital teams] don’t necessarily work on routine processes together, but now they need to come together in order to address the cybersecurity concerns with medical devices,” says Langer. Best practice is to embrace a solid governance structure, rather than rely on technology, he adds.

This includes internal team members with different levels of experience and education, all of whom must collaborate to build a solid cyber defense. While Langer agrees that attempting this level of cross-departmental collaboration is “ambitious,” healthcare leaders need to adhere to a plan that articulates what the process within the hospital looks like.

For example, HTM professionals must own responsibility for part of the patching process; information technology facilitates another part of the process; and information security provides oversight. Once the determination of “who does what” is clearly defined, this framework can be used for implementing and applying tools that will help automate the process, says Langer. He recommends that hospital leaders dive deeper into the FDA/MITRE guidance on governance for additional insight.

Pressure on Device Manufacturers Increases

To Langer, the FDA is “definitely putting the pressure on manufacturers to enable updating and patching to be done more seamlessly as part of the design and architecture of the device” in the draft of its premarket guidance. Most likely, he says, the federal agency will require that the manufacturer demonstrate this within its premarket review.

“This is a very important step forward because while patching is obviously recognized as such an important security mitigation capability, it’s been somewhat missing for many medical device manufacturers,” Langer adds. Within the premarket guidance, the Five Functions of the Cybersecurity Framework—aka: identify, protect, detect, respond, and recover—is helpful.

Here, the FDA is adopting the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure, a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. According to NIST, “The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

Langer, for one, is optimistic that the framework can be successful in the healthcare arena. Specifically, in the premarket guidance draft, the FDA calls for medical device manufacturers to communicate about the software modules and applications that are used on the medical device.

“This is so important because today this is not common knowledge. It’s not documented necessarily,” says Langer. “This would allow the different stakeholders to know how to better protect the medical device from new attacks that are evolving every day.”

Investing in Security

A nefarious actor could hack a politician’s pacemaker or an average patient’s Bluetooth-connected blood glucose monitor. That’s why Kulkarni, the Philadelphia-based attorney with experience advising on FDA matters, is encouraged that healthcare executives are focused on the cybersecurity of medical devices—and that they’re willing to make strategic investments, where necessary.

Still, it’s not an area where large enough investments are currently being made, Kulkarni stresses. Thus, healthcare leaders should prioritize how they’re managing the cybersecurity risks associated with medical devices at their facilities.Specifically, the healthcare organization’s cybersecurity approach must include how many of its medical devices are hardwired versus the devices that automatically receive updates wirelessly.

The latter is common, and it leaves medical devices vulnerable to cyberattacks. While it’s impossible to create a completely secure environment for medical devices, healthcare facilities must keep up with the latest updates—and healthcare executives have to prioritize resources accordingly, according to the experts.

At the same time, the onus of managing cybersecurity risks regarding medical devices is also shared with manufacturers. But medical device manufacturers aren’t incentivized to invest in these efforts, experts explain. “Most technology is based on ‘make it now, get revenue, then make the next version a little bit better,’ but no one’s looking at ‘backwards cybersecurity.’ And that needs a lot more investment, a lot more time,” says Kulkarni.

The challenge is that once the device is already sold, medical device manufacturers won’t receive more revenue from that sale. It’s difficult to determine the best way to incentivize a manufacturer to update devices over time, he adds. Kulkarni wonders if medical devices may one day be sold on a subscription model, where customers pay for them on a subscription basis.

This business model, which is similar to the software-as-a-service model, would ensure ongoing revenue for manufacturers; in addition, it would allow manufacturers to make cybersecurity-focused and other investments in devices while staying in business. To achieve success, medical device manufacturer executives must believe in the quality of the devices they bring to market.

That’s according to Om V. Singh, PhD, senior regulatory consultant at Washington, D.C.-based TSG Consulting, which provides global regulatory consulting, advice, and scientific services to assist with product registration and compliance across a wide range of industries. He adds that the development of quality products leads to increased profits, lower risks, healthier patients, satisfied hospital customers, and sustainable growth for the industry as a whole.

Involving the C-Suite

Isolating what’s important to hospital leadership is important, adds Kulkarni. For members of the hospital C-suite, for instance, getting penalized by the Centers for Medicare and Medicaid Services (CMS) if a patient is readmitted within 30 days of discharge is top of mind. Suppose, for example, that a cardiac patient’s medical device is hacked after he or she is released from the hospital, forcing the patient to return for treatment.

In addition to concern for the patient, hospital executives will undoubtedly be worried about whether or not CMS will pay them for the return visit since the agency relies on healthcare facilities to update devices with manufacturer-supplied patches. Further, chief technology officers, particularly critical members of the hospital C-suite, will be concerned with having the latest and greatest technologies.

From a medical device cybersecurity standpoint, however, Kulkarni says CTOs should take a page from the FDA/MITRE playbook and prioritize the development of an inventory of all purchased devices, as well as those that are currently in use.

Unfortunately, not all organizations have a complete inventory of their medical devices—and that’s a problem, Kulkarni stresses. Consider, for example, a device that has been implanted in a patient’s chest and receives updates from the manufacturer. These devices are being tracked, to a certain extent, but not in a centralized location where all the updates are available from the previous 10 or more years, says Kulkarni.

And this is important, since some patients have devices that were implanted more than 10 years ago. So, what can healthcare entities do? Kulkarni recommends that healthcare leaders demand that medical device manufacturers provide them with quarterly updates over a particular period of time—otherwise, their facility may take their business elsewhere.

This assertion would convince medical device companies that it’s worth it to include the cost of cybersecurity-focused updates into the cost of doing business; that’s where the software-as-a-service business model would be a good fit, Kulkarni maintains.

But regardless of whether this approach works or not, HTM professionals must soldier on in their quest to promote a cyber secure environment and adhere to FDA guidelines. After all, HTM professionals will continue to maintain life-critical medical devices, but they could certainly use support from hospital leadership and medical device manufacturers to protect patients from avoidable hospital visits—and even adverse events, such as death—should a bad actor hack into their medical device.

Aine Cryts is a contributing writer for 24×7 Magazine. Questions and comments can be directed to Keri Forsythe-Stephens at [email protected].