Recent reports of cybersecurity vulnerabilities involving Medtronic's ICDs and CRT-Ds have brought medical device-related cybersecurity concerns back into the spotlight.
The Department of Homeland Security and FDA alerted healthcare providers and patients last week about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable defibrillators, clinical programmers, and home monitors.
FDA said healthcare providers and patients should continue to use these devices as intended and follow device labeling. The agency said the system's overall design features help safeguard patients, and that the company is developing updates to further mitigate these vulnerabilities. There have not been any reports of patient harm related to this issue, the agency noted.
The MyCareLink Monitor (models 24950 and 24952) is used to wirelessly connect to the patient's implanted cardiac device and read the data stored on the device. The transmitter, located in the patient's home, sends the patient's data to his or her physician(s) by the CareLink Network using a continuous landline, cellular, or wireless Internet connection.
See FDA's announcement for a complete list of the implantable cardioverter defibrillators (ICDs) and cardiac resynchronization defibrillators (CRT-Ds) that are affected. The agency noted that the alert does not apply to any pacemakers, cardiac resynchronization pacemakers (CRT-Ps), CareLink Express monitors, or the CareLink Encore Programmer.
This isn't the first time Medtronic has been the subject of a warning from Homeland Security. Last year the agency reported cybersecurity vulnerabilities affecting the company's N'Vision clinical programmer used in conjunction with certain neurological implantable therapies. Several of the company's peers have also experienced cybersecurity problems, including Abbott, and Guardant Health.
FDA has responded to cybersecurity concerns like these with formal guidance, and cybersecurity is one of the reasons the agency wants to modernize its 510(k) clearance pathway.
Why Cybersecurity Threats in Medtech are Really Scary
Cybersecurity is one of the biggest issues keeping medtech manufacturers awake at night, according to a panelist at MD&M West 2019.
“Depending on the particular segment, cybersecurity is a really critical issue for the medtech industry,” said Yarmela Pavlovic, a partner at Hogan Lovells, an international law firm. “I see companies at varying stages of adoption in cybersecurity policies, and for very young companies coming more from the tech industry, cybersecurity feels like a much more natural fit. . . But then there are a lot of companies grappling with legacy products and trying to implement cybersecurity controls based on more modern technology for products where those concerns were not part of the original design and development.”
Steve Abrahamson, senior director of product security at GE Healthcare also spoke about cybersecurity at MD&M West in February.
"Going back five or 10 years ago, researchers started showing that it was possible to hack into medical devices and possibly cause the patient harm," Abrahamson said. "... It's never actually happened in the real world, but it is very terrifying to people because it could happen in theory."
Abrahamson said there has been a shift in mentality when people think about security for medical devices.
"In traditional safety risk management, we're protecting people from malfunctioning devices," he said. "When we think about cybersecurity risk management, we're protecting devices from malfunctioning people."
The Harshest Critics of Medical Device-Related Cybersecurity Flaws
Reports of cybersecurity vulnerabilities like Medtronic's has drawn particularly harsh criticism from cybersecurity experts outside of the medical device industry.
"Medical device manufacturers who aren't engaging in real security, or in this case, even basic security practices, should probably have their FDA approvals revoked," said Aaron Zander, head of IT at HackerOne, in a statement emailed to MD+DI on Friday. "Unlike a kids toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn't meant to come out and be replaced regularly. The surgery to replace this with a 'better' or 'safer' version in itself is dangerous and comes with life-threatening repercussions."
It should be noted, however, that most cybersecurity vulnerabilities in medical devices are typically addressed with a software or firmware update, like in Abbott's case. Patients do not usually have to have the device surgically replaced.
"The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security," Zander said. "The repercussions of not acting now are deadly.”
Deborah Chang, VP of business development and policy at HackerOne, suggested that the problem has to do with a lack of cybersecurity education.
"Only in the last 15 years, have there been any formal biomedical engineering degrees. Even so, these degrees/programs do not teach cybersecurity or have it as part of their curriculum," Chang said. "When designing a device, you are thinking about fixing a biological problem with a mechanical device. You are not thinking about the security of the device. Therefore, the culture must be changed."
What Is the Government Doing About Medtech Cybersecurity Vulnerabilities?
The issue has certainly not escaped the attention of lawmakers.
In February, Sen. Mark Warner (D-VA) sent letters to several healthcare organizations, including AdvaMed, to seek input on ways to improve cybersecurity in the healthcare industry. In his letter, Warner mentioned apparent gaps in oversight.
“The increased use of technology in healthcare certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending," Warner said. "However, the increased use of technology has also left the healthcare industry more vulnerable to attack."
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyber attacks would cost the U.S. healthcare system $305 million over a five-year period.
"As manufacturers of medical devices, patient safety is our number one priority and we take seriously the need to continuously assess the security of our devices in a world where technology constantly evolves," AdvaMed said in its response to Warner.
Healthcare Cybersecurity Must-Haves
While there are a number of challenges involved with protecting medical devices from hackers, Abrahamson shared the following "must haves" that hospital organizations are looking for from medical device manufacturers: Devices with built-in product security; security-aware purchasing contracts; and an organizational support plan.
"They want devices with built-in product security. They're actually baking security requirements into their purchasing contracts, so I spend a lot more time than I want to working with our sales and contract team on negotiating terms with our customers and how we will support security within the products that we're selling. And also organizational support, how are manufacturers going to work with users of devices to make sure that products are going to be supported throughout the lifestyle."
Perhaps one of the biggest takeaways from Abrahamson's presentation is the importance of addressing cybersecurity risks across every major function of the organization.
"In many cases, security in the technology area is viewed as an engineering problem," he said. "Yeah we have smart engineers, they'll figure out how to solve this, but it is not an engineering problem. It has a lot of engineering-based solutions, but it can only be solved by a multifunction approach including engineering, service, product management, and the commercial side."
AdvaMed has also adopted a set of five principles aimed at helping medical device companies and healthcare organizations mitigate cybersecurity threats. In short, these include: addressing cybersecurity risk from device conception through disposal; an understanding that medical device cybersecurity is a shared responsibility, implementing coordinated disclosure policies; participating in information sharing programs; and having standards and regulations developed collaboratively among all relevant stakeholders.