Medical Device Cybersecurity, Terrorism, and a Leap Too Far?

The medical device industry has not been enthusiastic about the U.S. government’s initiative to ensure its products are safe from hackers.

By Jim Dickinson

You can lead a horse to water, it is said, but you can’t make it drink. That seems to be the federal government’s experience to date with the medical device industry and its apparent lack of a thirst for cybersecurity.

Given until November 24 to file comments on a September FDA call for public input on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity,” both of the two main medical device industry organizations—AdvaMed and the Medical Device Manufacturers Association—told me they had elected not to comment.

Indeed, 10 days after the comments deadline the FDA initiative’s public docket at Regulations.gov showed only nine comments had been received, none of which were posted (there is usually an indeterminate lag time between receipt and posting).

Industry’s apparent lack of enthusiasm for this government initiative, in which FDA was joined by its parent Department of Health and Human Services (HHS) as well as the Department of Homeland Security (DHS), stands in the wake of a major government effort to promote it through a two-day public workshop in October.

Throughout a massive program aided by presentations from six medical device companies (Adventium Laboratories, GE Healthcare, Medtronic, Philips Healthcare, Siemens Medical, and Toshiba Medical), the workshop’s leaders repeatedly emphasized the importance of mutual trust, without which they said the vaunted “collaboration” would not succeed.

The initiative’s goals derive from President Obama’s February 2013 “Executive Order 13636—Improving Critical Infrastructure Cybersecurity,” which is heavy with terms like “critical infrastructure,” “cybersecurity regulatory requirements,” and “debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

It’s likely that few, if any, in the medical device industry immediately saw themselves as implicated in such terms until FDA published its “collaborative approaches” call for comments in the Federal Register last September, whereupon an alien landscape loomed before them.

While medical device technology has for decades been increasingly enmeshed in the electronic infrastructures of medical practice settings such as clinics and hospitals, creating deepening awareness of such issues as electronic interference and system incompatibilities, national security implications have not been obvious.

Injecting that complex “foreign” element into the evolving—if slow-moving—relationship between industry and medical practices when it comes to electronic systems might turn out to be a leap too far.

In the wider world, cybersecurity has had more recognition in the contexts of terrorism, global Internet mischief-making, and economic crime than in any medical or health context.

The antiterrorism-focused DHS’s partnering with FDA and HHS in a joint approach to the medical device industry must have seemed jarring, if not faintly alarming to industry leaders.

But, as DHS assistant deputy director for national cybersecurity and communication Marty Edwards told the October workshop, the medical device industry’s level of sophistication in cybersecurity issues and especially in their growing integration with the wider world’s industrial control systems, is at least 10 years behind those other industries.

“Absolutely everything is going to be interconnected in one way or another,” he said. “There is a vulnerability in every device—it’s just waiting to be found.”

The Reuters news service reported after the workshop that an unnamed senior DHS official had told it that the department was then investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials feared could be exploited by hackers. Reuters named three of them: a Hospira infusion pump and implantable heart devices from Medtronic and St. Jude Medical.

The medical device industry’s apparent slowness to embrace this vulnerability persuaded one interested party, the American Hospital Association (AHA), to urge FDA in a five-page letter dripping with barely disguised frustration to “hold device manufacturers accountable for cybersecurity, while also encouraging them to participate in the existing HPH [healthcare and public health] activities to share information on cyber risk.”

The letter went on to assert that device makers “must embrace their responsibility to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge . . . Medical device manufacturers also must participate in existing information-sharing activities . . .”

And FDA itself, as a regulator often accused of being too cozy with the medical device industry, also came under the AHA’s gunsights.

“As the regulator of medical devices, the FDA has a role to play in ensuring that risk is minimized by manufacturers and that they engage in information-sharing activities,” senior vice president Linda E. Fishman wrote. “The AHA applauds the agency’s recent guidance on content of pre-market submissions for management of cybersecurity in devices. However, we urge the FDA also address expectations of manufacturers for legacy devices.”

In this view, Fishman was echoing the sentiments of Homeland Security’s Marty Edwards at the October workshop, when he expressed some frustration with the industry’s protectiveness of its various investments in security measures of all kinds, not just cybersecurity.

It shouldn’t seem surprising that the AHA, as the collective voice of the medical device industry’s main customers, would feel free to publicly take such a forthright “buyers’ market” posture toward the industry. Its 5000 institutional members harbor a diversity of established security and control systems that may be threatened by the technologically innovative products introduced by new, and rival medical devices.

President Obama’s executive order, the instigator of all this, seemed to anticipate the turf issues between competitors in industries being asked to share information for the good of all and the nation. It frequently stressed the “voluntary” and “consultative” nature of the government’s impending cybersecurity “collaborations” with the private sector.

It even proclaimed U.S. policy “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity” through “a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”

But those were broad strokes. They left the thorny details to distant boots on the ground—the implementers and negotiators of DHS, HHS, FDA, and the seemingly skittish medical device industry.

As stated so often at the October workshop, the success of the enterprise will depend on how much mutual trust can be elicited from all participants.

Trust, however, is an increasingly scarce commodity in Washington, DC. As New York Times commentator and author Thomas Friedman wrote in a December 2 column, the nation’s focus on terrorism, combined with gotcha politics, has killed creative thinking in the capital.

DHS’s lead role in the collaborative approaches for medical device and healthcare cybersecurity may give the industry an unfortunate if unstated reason to hesitate before trusting.

This horse doesn’t seem the least bit thirsty.

Jim Dickinson is MD+DI’s contributing editor.

[image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]