Steve Abrahamson, senior director of product security at GE Healthcare, spoke about cybersecurity at MD&M West 2019.MD+DI/Amanda Pedersen
Software is a weak link for medical devices, according to Stericycle Expert Solutions' second-quarter recall index. The report found software issues to be the top cause of medical device recalls for the 13th straight quarter .
"As we become increasingly reliant on AI and data collection, software becomes an even bigger vulnerability for patients, physicians, and wrongdoers," said Chris Harvey, director of recall solutions at Stericycle. "If the software that is used to operate a device is inadequate, how can we be sure that it is protected from cybersecurity vulnerabilities? Add to that the fact that companies have only recently been laser-focused on mitigating cyber threats associated with medical devices. It's a recipe for disaster."
Cybersecurity Crime in Medtech – The Threat Is Real
As MD+DI recently reported, cybersecurity threats in medtech are really scary. In late June, FDA reported that due to cybersecurity vulnerabilities identified in Medtronic's MiniMed 508 and MiniMed Paradigm insulin pumps, a hacker could potentially connect wirelessly to a nearby device and change the pump's settings. This could allow a person to over-deliver insulin to the patient, leading to low blood sugar, or to stop insulin delivery, leading to high blood sugar and a buildup of acids in the blood. The MiniMed recall does not yet appear on FDA's list of 2019 medical device recalls and is therefore not included in the table above (there sometimes is a lag between the date that the manufacturer initiates a recall and when it appears on FDA's website).
To be clear, there have not been any confirmed reports of patient harm related to these risks, but it's scary to think about the possible fallout if a hacker were to take advantage of this vulnerability to intentionally blackmail or hurt a targeted individual who happens to use one of these devices.
Cybersecurity is one of the biggest issues keeping medtech manufacturers awake at night, according to a panelist at MD&M West 2019.
“Depending on the particular segment, cybersecurity is a really critical issue for the medtech industry,” said Yarmela Pavlovic, a partner at Hogan Lovells, an international law firm. “I see companies at varying stages of adoption in cybersecurity policies, and for very young companies coming more from the tech industry, cybersecurity feels like a much more natural fit. . . But then there are a lot of companies grappling with legacy products and trying to implement cybersecurity controls based on more modern technology for products where those concerns were not part of the original design and development.”
Steve Abrahamson, senior director of product security at GE Healthcare also spoke about cybersecurity at MD&M West in February.
"Going back five or 10 years ago, researchers started showing that it was possible to hack into medical devices and possibly cause the patient harm," Abrahamson said. "... It's never actually happened in the real world, but it is very terrifying to people because it could happen in theory."
Abrahamson said there has been a shift in mentality when people think about security for medical devices.
"In traditional safety risk management, we're protecting people from malfunctioning devices," he said. "When we think about cybersecurity risk management, we're protecting devices from malfunctioning people."
The Harshest Critics of Medical Device-Related Cybersecurity Flaws
Reports of cybersecurity vulnerabilities like Medtronic's has drawn particularly harsh criticism from cybersecurity experts outside of the medical device industry.
"Medical device manufacturers who aren't engaging in real security, or in this case, even basic security practices, should probably have their FDA approvals revoked," said Aaron Zander, head of IT at HackerOne, in response to an earlier cybersecurity issue involving Medtronic's implantable defibrillators. "Unlike a kids toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn't meant to come out and be replaced regularly. The surgery to replace this with a 'better' or 'safer' version in itself is dangerous and comes with life-threatening repercussions."
It should be noted, however, that most cybersecurity vulnerabilities in medical devices are typically addressed with a software or firmware update. Patients do not usually have to have the device surgically replaced.
"The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security," Zander said. "The repercussions of not acting now are deadly.”
Deborah Chang, VP of business development and policy at HackerOne, suggested that the problem has to do with a lack of cybersecurity education.
"Only in the last 15 years, have there been any formal biomedical engineering degrees. Even so, these degrees/programs do not teach cybersecurity or have it as part of their curriculum," Chang said. "When designing a device, you are thinking about fixing a biological problem with a mechanical device. You are not thinking about the security of the device. Therefore, the culture must be changed."
What Is the Government Doing About Medtech Cybersecurity Vulnerabilities?
The issue has certainly not escaped the attention of lawmakers.
In February, Sen. Mark Warner (D-VA) sent letters to several healthcare organizations, including AdvaMed, to seek input on ways to improve cybersecurity in the healthcare industry. In his letter, Warner mentioned apparent gaps in oversight.
“The increased use of technology in healthcare certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending," Warner said. "However, the increased use of technology has also left the healthcare industry more vulnerable to attack."
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyber attacks would cost the U.S. healthcare system $305 million over a five-year period.
"As manufacturers of medical devices, patient safety is our number one priority and we take seriously the need to continuously assess the security of our devices in a world where technology constantly evolves," AdvaMed said in its response to Warner.
Healthcare Cybersecurity Must-Haves
While there are a number of challenges involved with protecting medical devices from hackers, Abrahamson shared the following "must-haves" that hospital organizations are looking for from medical device manufacturers: Devices with built-in product security; security-aware purchasing contracts; and an organizational support plan.
"They want devices with built-in product security. They're actually baking security requirements into their purchasing contracts, so I spend a lot more time than I want to working with our sales and contract team on negotiating terms with our customers and how we will support security within the products that we're selling," Abrahamson said. "And also organizational support, how are manufacturers going to work with users of devices to make sure that products are going to be supported throughout the lifestyle."
Perhaps one of the biggest takeaways from Abrahamson's presentation is the importance of addressing cybersecurity risks across every major function of the organization.
"In many cases, security in the technology area is viewed as an engineering problem," he said. "Yeah we have smart engineers, they'll figure out how to solve this, but it is not an engineering problem. It has a lot of engineering-based solutions, but it can only be solved by a multifunction approach including engineering, service, product management, and the commercial side."
FDA has responded to cybersecurity concerns like these with formal guidance, and cybersecurity is one of the reasons the agency wants to modernize its 510(k) clearance pathway.
AdvaMed has also adopted a set of five principles aimed at helping medical device companies and healthcare organizations mitigate cybersecurity threats. In short, these include: addressing cybersecurity risk from device conception through disposal; an understanding that medical device cybersecurity is a shared responsibility, implementing coordinated disclosure policies; participating in information sharing programs; and having standards and regulations developed collaboratively among all relevant stakeholders.
Recall Trends Across Industries
Recalls in the second quarter remained flat across the industries that Stericycle reports on, but serious and deadly incidents were on the rise – an indication of lagging activity by regulatory agencies, the Stericycle recall experts noted.
"The numbers in this Index are just one data point in the product safety story. Over the last six months, regulators have been the target of consumer advocates, victims, and even Congress," said Chris Harvey, Director of Recall Solutions at Stericycle Expert Solutions. "Perhaps the most obvious has been the criticism lodged at the Consumer Product Safety Commission for its handling of safety-related issues. Then there are the cries for the Food and Drug Administration to act quicker on CBD and cannabis while behind the scenes food safety inspections continue to lag."
While there may be fewer regulations, the actions have been stricter and even severe according to food, drug, and medical device companies that have found themselves under scrutiny.
FDA recently said it is taking new steps to strengthen and modernize the process for issuing a public warning about a voluntary recall and for notification of recalls.
"Most companies collaborate with the FDA to rapidly initiate voluntary recalls and work with their supply chain partners to remove the product from shelves to prevent further distribution," the agency noted. "And in general, a recall occurs quickly when the problem is discovered. However, there are situations where the FDA may need to provide safety advice to [the] marketplace to protect consumers."
Companies that have recalled medical devices this year include (in order from most recent): Fresenius Kabi, Abbott, Becton Dickinson, Teleflex, GE Healthcare, Hamilton Medical, Edwards Lifesciences, Vyaire Medical, Cook Medical, Terumo Medical, Integra Lifesciences, Beckman Coulter Lifesciences, Ethicon, Alpha Omega Engineering, Brainlab, O-Two Medical Technologies, RVO 2.0, Physio-Control, Medtronic, Smiths Medical, West Pharmaceutical Services, Terrific Care/Medex Supply, Draeger Medical.