Facebook is having a rough week, as you've no doubt gathered by now — unless you've been living completely off the grid.
Given that the medtech industry is becoming increasingly connected, MD+DI readers may be wondering if a medical device company or healthcare system could potentially experience the same problem that brought all of Facebook's services to a halt earlier this week. We checked in with Garrett Schumacher, principal cybersecurity engineer at Velentium, to find out if something like this could potentially happen to a medical device company.
Schumacher's insights on the matter through a medtech lens are quite interesting. But first, here's a layman's explanation of what caused Monday's massive Facebook outage, for those of us who had never heard of the domain name system (DNS) or the border gateway protocol (BGP) until this week:
Facebook runs everything through a backbone network connecting all of its computing facilities together, which consists of tens of thousands of miles of fiber-optic cables crossing the globe and linking all of the company's data centers, explained Santosh Janardhan, vice president of infrastructure at Facebook.
Sometimes Facebook engineers need to take part of that backbone offline for maintenance, which is usually no big deal. However, during one such routine maintenance jobs, a command was issued, which accidentally knocked down every connection in the backbone network, essentially telling the internet that Facebook no longer had any servers. Whoops.
Ideally, Facebook's systems would catch and prevent mistakes like this, but there was a bug in the audit tool. So essentially, the company's address book was blocked, and no one could find their servers, even though the servers were working just fine. Making matters even worse, Facebook engineers had no way of accessing their own data centers through normal means because their networks were down, and the total loss of DNS (the internet's address book) broke many of the company's internal tools used to fix problems like this. So Facebook had to send engineers onsite to its data centers to debug the issue and reboot the systems, which took time.
Schumacher did an excellent job explaining to MD+DI how the verification, validation, and code quality steps that any manufacturer should be doing before pushing a product out into the field or updating a fielded product would, hopefully, prevent such a snafu from impacting a medical device company. Hypothetically speaking, however, it is possible that a medtech company could drop the ball on such verifications and validations.
"Imagine a developer pushed firmware updates to medical devices, and the proper verifications and validation for that code were not performed (similar to the Facebook scenario). It's possible that such a flawed update could then brick/deadlock devices in the field in mass (denial of service similar to Facebook as well) or introduce an unintended vulnerability," Schumacher said. "That would be a nightmare — not only would patient outcomes be affected, but the physical endeavor to recall or replace those devices would be tremendous. Plus, the reputation of that business would be at risk, and the FDA would definitely be giving heavy scrutiny to that company and their products, even shutting that business down or embargoing their products. We have seen this happen before."
Schumacher added that he knows of some medical systems, primarily on the diagnostics side, that do absolutely require internet connectivity to work, and rely on APIs and/or local/cloud-hosted servers and the same fabric of the internet that Facebook used to lock themselves out of their own systems.
"DNA sequencers, for example, often require such connectivity, so those manufacturers could absolutely deny the availability of their products much in the same way," he said. "Imagine the expense to labs if that were the case — their main revenue generator would be down, and expensive consumables and samples could be lost/destroyed, prolonging needed diagnostic info."
Thankfully, he added, therapeutic devices should not require connectivity to perform as intended, it is possible for that therapy to not be modifiable by a clinician or patient if such an operating system were in effect.
How to avoid making the same mistake as Facebook
"When we design a medical device, we’re going to make it so that it’s not reliant on a single point of failure," Schumacher said. "We’re going to make it so that if one product goes down, the rest don’t go down also. Which is a really great point on not relying on one provider for everything."
Velentium is a contract design and development engineering firm specializing in active implantables and their accessories. The Houston, TX-based firm provides expertise in systems design, embedded cybersecurity, electrical and mechanical development, firmware, software, mobile apps, cloud-based applications, test systems, prototyping and manufacturing.
FDA puts a lot of emphasis on verification, validation, and code quality for this very reason, he said. The agency provides guidance to the industry as to how to do so, and what to actually expect out of such processes in order to avoid situations where quality isn't up to par and that leads to a potential security event.
"This wasn’t a security breach, but it was an event," he said, "Anytime you have a disruption of cyber services it’s a cyber event."
Schumacher also said there are times when companies do rely on single fault issues or they might put the fault credentials out there on a device, or even use the same credential across all of their products.
"So that’s actually a pretty similar scenario where one person had keys to the kingdom and can affect every product in the field," he said.
All of this, again, is why FDA has been so outspoken in recent years regarding the importance of cybersecurity in the medical device industry.
“You know, 10 years ago, having a medical device connected to the internet was really rare, and it was really restricted to the huge medical devices that were in a clinical setting," Schumacher said. "Today, everybody has some type of wearable device providing diagnostic information straight to their phone, straight to the cloud. So everything is becoming more connected, which obviously provides a ton of benefits. Patients and doctors and developers are much more connected than ever before. However, attackers and threat actors and even kids in their basement that like seeing Grandpa jump when his implanted stimulator is triggered … all these people are also more connected to the same infrastructure."
Perhaps that makes cybersecurity more important in the medical device industry than in any other field.
"But we’re also seeing great things from the FDA, and they’re leading the charge … [cybersecurity] has never been more important, but it’s also never been better, and it’s going to continue to get better,” Schumacher said.
Hospitals may be a different story though.
"Large clinical environments also have servers that they’re reliant on for therapy or diagnostics, and they use the same mesh of the internet that Facebook uses, and that everyone else uses," he said.
Hopefully, even if something like this did happen to a hospital network, Schumacher said, the medical devices and equipment used within that hospital would continue to work as intended, even if they were unable to connect to the hospital's server.