MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How to Protect Your Medical Device Against Cyber Threats

Alan Grau

Policy-based filtering provides a critical missing layer of security for medical devices.

Security vulnerabilities involving medical devices have been well documented. For example, in 2013, manufacturers shipped out more than 300 devices to customers with hard-coded passwords, which could have permitted hackers to gain control of the devices and make it impossible to update the passwords to block future attacks. Hackers could then have exploited this vulnerability to change critical settings or modify device firmware. The vulnerability affected a wide range of device types, including surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

The technological capacity to launch cyber attacks was demonstrated more recently when Kaspersky Labs announced that hackers—apparently the U.S. National Security Agency and the United States Cyber Command—inserted malware into the firmware of computer systems in Iran and other countries. Despite an operating system reinstall, the malware remained in place, enabling the hackers to discover encryption keys and crack encryption algorithms.

While bad actors continue to develop new and more sophisticated cyber attacks, many medical device manufacturers are failing to keep pace with the evolving threat landscape. Facing this challenge, manufacturers must take a new look at security and abandon the concept of ‘security by obscurity’ as the relic that it is. Ultimately, they must be willing to invest resources into building security into every new medical device while seeking ways to protect devices that are already in use.

Securitizing Critical Infrastructure Devices

From small to large and simple to complex, medical device products and system assets range from consumer gadgets to sophisticated hospital systems and are commonly designed to perform a range of specific tasks. Incorporating specialized operating systems such as VxWorks, Nucleus, Integrity, Freescale MQX, or a stripped-down version of Linux, they cannot accommodate new software or can do so only if they undergo an upgrade. And because many medical devices minimize processing cycles and memory use, they usually do not have the extra processing resources required to support traditional security mechanisms. Given the specialized nature of medical device technologies, standard PC security systems cannot protect them or even run on them.

To achieve IT security, large enterprises rely on the use of multiple layers of protection, including firewalls, authentication/encryption software, security protocols, and intrusion detection/intrusion prevention systems. Based on proven security principles, firewalls are well-established mechanisms, but they are largely absent from many medical devices and systems. Based on the assumption that medical devices are not attractive targets to hackers, that they are not vulnerable to attack, or that authentication and encryption can provide adequate protection, many manufacturers rely solely on simple password authentication and security protocols. However, these assumptions are no longer valid. As the number and sophistication of cyber attacks continues to rise, greater security measures are needed.

For more than 25 years, cybersecurity has been a critical focus for large enterprises. In contrast, it has become a focus only recently for most engineers that build embedded computing devices. “Experience is the best teacher, but the tuition is high,” according to the old saying. To avoid paying the tuition and ensure that their devices are secure, medical design engineers can take a page from the enterprise security playbook in order to:

  • Create hardened devices with secure boot, authentication, and antitamper technology.
  • Implement secure communication using security protocols and embedded firewalls.
  • Enable device visibility based on remote command audits and event reporting.
  • Improve security management using remote policy management and integrated security management systems.
  • Develop policy-based filtering to provide a critical missing layer of security for medical devices.

What Does FDA Say?

Table I: FDA provides guidance to medical device manufacturers for building security into their systems.
To help ensure high levels of security, FDA has issued security guidelines for medical device OEMs that are designed to
  • Protect devices from hackers and cyber attacks that may be launched from the Internet, inside the corporate network, or via Wi-Fi networks.
  • Control the packets processed by medical devices.
  • Protect devices against denial-of-service attacks and packet floods.
  • Manage and control changes to filtering policies and other security parameters.
  • Detect and report traffic abnormalities, probes, or attacks.

By building the capabilities presented in Table I into their medical devices, manufacturers will be able to meet the FDA security guidelines.

Bump-in-the-Wire Solutions

Many legacy medical devices and systems that are already in place have been manufactured using inadequate security measures. Upgrading these devices to improve security requires that the device manufacturer develop newer software or firmware versions incorporating improved security features. Once a new version is available, the devices can be upgraded to provide enhanced security.

Icon Labs Floodgate defender provides a bump-in-the-wire solution to protect existing medical equipment and systems.

Unfortunately, the upgrade process may be difficult, expensive, or impossible. For example, some devices cannot be upgraded without being returned to the factory. Others may no longer be supported by the manufacturer, or the company may no longer exist. Replacing such devices is often prohibitively expensive, while newer devices with enhanced security features may not yet be available.

Among the methods for upgrading existing medical device security systems are bump-in-the-wire solutions. Based on Layer 2 encryption, such solutions ensure platform independence, do not require special software or hardware to manage routing decisions, and require little configuration and maintenance. For legacy medical equipment and systems that cannot be easily or affordably replaced or upgraded, bump-in-the-wire solutions offer a means to ensure valid communication.

How to Build Security into Your Device

By building protection into a medical device and providing it with a critical security layer, it is no longer dependent on a corporate firewall as its sole means of defense against threats either malicious or unintentional. For medical device applications, security solutions must ensure that the firmware has not been tampered with. They must also secure stored data and secure communications into and out of the device, providing protection from cyber attacks. This objective can only be achieved by designing security into the device from the start. There is no one one-size-fits-all security solution for embedded devices, but customized systems are available that can meet specific device requirements.

Because today’s medical devices and systems are complex connected devices that are charged with performing a host of vital functions, including security in them is critical. Security features must be considered early in the design process to ensure that devices are protected from the advanced cyber threats they may face now and in the future.

Alan Grau is the president and cofounder of West Des Moines, IA–based Icon Labs. Reach him at alan.grau@iconlabs.com.

Who’s to Blame for Superbug Deaths Linked to Endoscopes?

Who’s to Blame for Superbug Deaths Linked to Endoscopes?

After two patients died and serveral more were sickened by drug-resistant bacteria traced to endoscopes, many want to know who dropped the ball, the manufacturer or regulators.

Jamie Hartford

It’s the kind of story anyone in the medical device industry—or anyone at all, for that matter—dreads to hear: Two patients at UCLA’s Ronald Reagan Medical Center were already dead, several others had been sickened, and nearly 200 more had potentially been exposed to carbapenem-resistant enterobacteriaceae (CRE), an drug-resistant superbug, traced to contaminated endoscopes.

When that story broke this past February, it was hard to escape, screamed from print and digital headlines, morning shows, and cable news loops. While at first the media homed in on the frightening facts, as the news cycle marched on the focus shifted, as it so often does, to the question of where to place the blame.

Were device manufacturers at fault?

After all, they were the ones that designed endoscopes with a hard-to-clean elevator mechanism and put out sterilization guidelines that, although supposedly followed appropriately by the hospital, had failed to prevent the outbreak.

The UCLA case wasn’t even the first time endoscopes had served as a vector for deadly bacteria. From 2012 to 2014, at least 32 patients at Seattle’s Virginia Mason Medical center were sickened by bacteria picked up from duodenoscopes. and hospitals in Illinois, Pennsylvania, and elsewhere have also experienced outbreaks.

A lawyer for an 18-year-old student stricken with the superbug has announced his intention to sue Olympus Corp., the Tokyo-based manufacturer of the Olympus TJF-Q180V duodenoscope linked to the UCLA outbreak. Outrage directed against the firm grew even more rabid when it came to light that the company was selling the device without FDA clearance.

But, as MD+DI associate editor Marie Thibault reported, that may have been due to confusion over whether a new 510(k) was needed.

That brings up the other party to which many sought to assign blame: FDA.

The agency did some things right. For example, it was quick to respond to the crisis at UCLA with a safety alert warning that the design of endoscopic retrograde cholangiopancreatography duodenoscopes may impede effective cleaning and recommendations for reprocessing of the devices and had warned physicians about the problem as early as 2009. And just weeks after news of the outbreak came to light, it published final guidance on reprocessing medical devices in healthcare settings—although, to be fair, that was nearly four years after the agency put out the draft of that guidance.

Still, some charge that FDA should have done more.

“. . . this agency, responsible for regulating all medical devices, has yet to take any action, though its menu of options is broad, ranging from taking the scopes off the market to demanding the manufacturers improve their designs or upgrade their recommended cleaning protocols,” Ford Vox, an Atlanta-based physician and journalist, wrote in an opinion piece for CNN.

For my part, I’m not sure who to blame, so I’ll keep my hands in my pockets and let others point the fingers. I’m sure that if I or a loved one had been affected by this tragedy, I, too, would be clamoring for someone to step up and accept responsibility. But speaking from the privileged place of an unaffected party, I understand that assigning blame isn’t as productive as focusing on how to prevent something like this from happening to anyone ever again.

While others are arguing over who’s at fault, the medical device industry and regulators should be clear-mindedly looking at what went wrong and how similar deaths and infections caused by superbugs stemming from devices can be avoided.

Is the answer closer regulatory scrutiny of manufacturers’ reprocessing guidelines? More manufacturer emphasis on designing for sterilization? Better postmarket surveillance to connect the dots between similar adverse events across the country?

I suspect it’s a combination of all those things and more, and laying blame on one party won’t provide the answers we need.

Jamie Hartford is MD+DI's editor-in-chief. Reach her at jamie.hartford@ubm.com or on Twitter @MedTechJamie

[image courtesy of AMBRO/FREEDIGITALPHOTOS.NET]

Bayer's Essure to Be Investigated

Bayer's Essure to Be Investigated

Marie Thibault

Roughly a month after receiving a citizen petition against Bayer’s Essure permanent birth control, FDA has forwarded the complaint to the Office of Compliance within Center for Devices and Radiological Health (CDRH) for investigation.

As previously reported, lawyers from the Law Office of Koch Parafinczuk & Wold, P.A. in Fort Lauderdale, FL, filed a citizen petition in late February against Essure permanent birth control. The authors represent hundreds of women who received Essure inserts and maintain that the device caused adverse events like device migration and organ perforation. The petitioners claim that medical data on Essure was fraudulently altered and that requirements of the device’s approval order and federal laws were flouted numerous times. The petition includes a request that FDA suspend Essure’s approval order and issue a recall.

The Essure system, now owned by Bayer after its 2013 acquisitions of Conceptus, involves hysteroscopic placement of nickel-titanium alloy inserts into the fallopian tubes, which, with tissue ingrowth, block the fallopian tubes and result in permanent birth control.

In a letter dated March 26 and posted online recently, William Maisel MD, MPH, deputy center director for science and chief scientist at CDRH, wrote that this petition is a “trade complaint because of the allegations against the ‘Essure’ product.”

The claims have been sent to the center’s Office of Compliance to be entered into the Allegation of Regulatory Misconduct system. The Office of Compliance will review and investigate the allegations and take action as needed. However, Maisel wrote, details of the investigation and explanation of the findings will not be communicated with the petitioners.

In an e-mailed statement, a Bayer spokesperson said, "The Citizen’s Petition regarding Essure was submitted to the FDA by a law firm that has filed several Essure product liability lawsuits naming Bayer as a defendant. The allegations made in the Citizen’s Petition are similar to those stated in the lawsuits. Bayer stands behind the safety and efficacy of Essure and will aggressively defend itself in Court. FDA has closed the petition and forwarded it to the Office of Compliance. We are cooperating with the FDA, and we will respond to any questions that the agency may have related to the allegations."

Stay on top of the latest trends in medtech by attending the MD&M East Conference, June 9–11, 2015, in New York City.

Marie Thibault is the associate editor at MD+DI. Reach her at marie.thibault@ubm.com and on Twitter @medtechmarie.

[Image courtesy of MASTER ISOLATED IMAGES/FREEDIGITALPHOTOS.NET]

Medtronic Attempts A Do-Over On Renal Denervation

Medtronic Attempts A Do-Over On Renal Denervation

Some physicians believe renal denervation is pretty much history.

After all, back in January 2014, the biggest trial of renal denervation conducted by Medtronic failed spectacularly in being unable to lower blood pressure in patients with resistant hypertension six months following the procedure. Soon after that announcement and well before its merger with Medtronic, Covidien too pulled the plug on its OneShot renal denervation program citing slow market growth in Europe.

But Medtronic is not giving up that easily.

renal denervation, hypertension, high blood pressure, Symplicity catheter,
The next generation Symplicity Spyral Catheter from Medtronic

The Irish medical device maker announced Wednesday that it has begun the SPYRAL HTN global clinical trial prpgram using the Symplicity Spyral catheter and Symplicity G3 radiofrequency (RF) generator. The program will involve two studies and both have been designed such that it can address the problems encountered in the original Symplicity HTN-3 trial.

It's not surprising that Medtronic is launching two studies using a next-generation system. After Medtronic announced that the Symplicity HTN-3 trial had failed, St. Jude Medical's CEO, Daniel Starks had briefly speculated that "the trial was done with a first-generation technology" with a catheter having a single electrode doing the job of neurostimulation.

Compare that to the Spyral device that Medtronic is testing which has multiple electrodes to provide mild electronic pulses to the renal artery.

"Medtronic believes the underlying science behind renal denervation is strong and that there is a clear unmet need for people with uncontrolled hypertension. Therefore, we remain committed to exploring the clinical potential of renal denervation in this population,” said Jason Weidman, vice president and general manager, Medtronic Coronary and Renal Denervation, within Medtronic’s Coronary and Structural Heart business, in prepared remarks. “To get to this point, we’ve performed extensive analyses and conducted additional pre-clinical testing following the SYMPLICITY HTN-3 trial. We’ve also consulted with the FDA and reimbursement bodies, and partnered with renowned thought-leaders worldwide to develop this novel clinical trial protocol.” 

It's important to note that neither of the two studies constitutes a pivotal trial, showing a deliberative, cautious approach. That's probably wise given how shocked the analyst community was when the pivotal trial of Symplicty HTN-3 failed given that they had all assumed the product would be approved based on great performance of the device in smaller studies before.

This time around the two studies will study the impact of renal denervation on patients who are currently taking anti-hypertension medication and patients who are off their medication. The studies will also enroll about 100 patients in 20 centers in the U.S. and abroad. Notably, the studies will evaluate renal denervation on patients with moderate- to high-risk hypertension instead of severe, drug-resistant hypertension.

Another difference is the number of medications that a patient enrolled in the second study that tests the therapy on patients currently taking medication. Whereas the failed trial had enrolled patients taking five drugs that control blood pressure, this time around, the trial will enroll patients who are on three drugs. Patients are also not required to be taking these drugs at their maximum dosage to qualify for enrollment.

"Studying patients both on and off medication in a less severe and more homogenous population than we saw in the SYMPLICITY HTN-3 trial is critical to gaining clarity on the true effect of this therapy,” said Dr. Raymond Townsend, director of the hypertension program, University of Pennsylvania in prepared remarks. “By specifying medication classes and not requiring maximum tolerated doses, we can expect medication variability to be reduced, which will allow for a more controlled assessment of the impact of renal denervation in the presence of medication.”

Based on the results of these two trials, Medtronic will determine the path to submitting a PMA submission to FDA and its equivalent agency in Japan.

Analysts have previously estimated the opportunity in renal denervation to be in the billions of dollars. 

Like Medtronic, St. Jude Medical also believes in the promise of the therapy. In September, the Minnesota medical technology company reported 12-month follow up data on patients who were treated with its multi-electrode catheter. part of it EnligHTN renal denervation system. The data shows that 78% of patients responded to the therapy.

Yet, the product is not doing well commercially in Europe and Australia where it launched in May 2012. The EnligHTN Renal Denervation System "continued to experience lower 2014 net sales ... compared to 2013 driven by expected overall market declines in the treatment of drug-resistant, uncontrolled hypertension," according to the company's 2014 annual report

Arundhati Parmar is senior editor at MD+DI. Reach her at arundhati.parmar@ubm.com and on Twitter @aparmarbb 

[Featured Photo courtesy of iStockPhoto.com user Just_Human
 Product Image courtesy of Medtronic]

Stay on top of the latest trends in medtech by attending the MD&M East Conference, June 9–11, 2015, in New York City.