Due to cybersecurity vulnerabilities identified in Medtronic's MiniMed 508 and MiniMed Paradigm insulin pumps, a hacker could potentially connect wirelessly to a nearby device and change the pump's settings, FDA said on Friday. This could allow a person to over deliver insulin to the patient, leading to low blood sugar, or to stop insulin delivery, leading to high blood sugar and a buildup of acids in the blood.
To be clear, there have not been any confirmed reports of patient harm related to these risks, but it's scary to think about the possible fallout if a hacker were to take advantage of this vulnerability to intentionally blackmail or hurt a targeted individual who happens to use one of these devices.
Cybersecurity is one of the biggest issues keeping medtech manufacturers awake at night, according to a panelist at MD&M West 2019.
“Depending on the particular segment, cybersecurity is a really critical issue for the medtech industry,” said Yarmela Pavlovic, a partner at Hogan Lovells, an international law firm. “I see companies at varying stages of adoption in cybersecurity policies, and for very young companies coming more from the tech industry, cybersecurity feels like a much more natural fit. . . But then there are a lot of companies grappling with legacy products and trying to implement cybersecurity controls based on more modern technology for products where those concerns were not part of the original design and development.”
Steve Abrahamson, senior director of product security at GE Healthcare also spoke about cybersecurity at MD&M West in February.
"Going back five or 10 years ago, researchers started showing that it was possible to hack into medical devices and possibly cause the patient harm," Abrahamson said. "... It's never actually happened in the real world, but it is very terrifying to people because it could happen in theory."
Abrahamson said there has been a shift in mentality when people think about security for medical devices.
"In traditional safety risk management, we're protecting people from malfunctioning devices," he said. "When we think about cybersecurity risk management, we're protecting devices from malfunctioning people."
The Harshest Critics of Medical Device-Related Cybersecurity Flaws
Reports of cybersecurity vulnerabilities like Medtronic's has drawn particularly harsh criticism from cybersecurity experts outside of the medical device industry.
"Medical device manufacturers who aren't engaging in real security, or in this case, even basic security practices, should probably have their FDA approvals revoked," said Aaron Zander, head of IT at HackerOne, in response to an earlier cybersecurity issue involving Medtronic's implantable defibrillators. "Unlike a kids toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn't meant to come out and be replaced regularly. The surgery to replace this with a 'better' or 'safer' version in itself is dangerous and comes with life-threatening repercussions."
It should be noted, however, that most cybersecurity vulnerabilities in medical devices are typically addressed with a software or firmware update. Patients do not usually have to have the device surgically replaced.
"The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security," Zander said. "The repercussions of not acting now are deadly.”
Deborah Chang, VP of business development and policy at HackerOne, suggested that the problem has to do with a lack of cybersecurity education.
"Only in the last 15 years, have there been any formal biomedical engineering degrees. Even so, these degrees/programs do not teach cybersecurity or have it as part of their curriculum," Chang said. "When designing a device, you are thinking about fixing a biological problem with a mechanical device. You are not thinking about the security of the device. Therefore, the culture must be changed."
What Is the Government Doing About Medtech Cybersecurity Vulnerabilities?
The issue has certainly not escaped the attention of lawmakers.
In February, Sen. Mark Warner (D-VA) sent letters to several healthcare organizations, including AdvaMed, to seek input on ways to improve cybersecurity in the healthcare industry. In his letter, Warner mentioned apparent gaps in oversight.
“The increased use of technology in healthcare certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending," Warner said. "However, the increased use of technology has also left the healthcare industry more vulnerable to attack."
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyber attacks would cost the U.S. healthcare system $305 million over a five-year period.
"As manufacturers of medical devices, patient safety is our number one priority and we take seriously the need to continuously assess the security of our devices in a world where technology constantly evolves," AdvaMed said in its response to Warner.
Healthcare Cybersecurity Must-Haves
While there are a number of challenges involved with protecting medical devices from hackers, Abrahamson shared the following "must haves" that hospital organizations are looking for from medical device manufacturers: Devices with built-in product security; security-aware purchasing contracts; and an organizational support plan.
"They want devices with built-in product security. They're actually baking security requirements into their purchasing contracts, so I spend a lot more time than I want to working with our sales and contract team on negotiating terms with our customers and how we will support security within the products that we're selling," Abrahamson said. "And also organizational support, how are manufacturers going to work with users of devices to make sure that products are going to be supported throughout the lifestyle."
Perhaps one of the biggest takeaways from Abrahamson's presentation is the importance of addressing cybersecurity risks across every major function of the organization.
"In many cases, security in the technology area is viewed as an engineering problem," he said. "Yeah we have smart engineers, they'll figure out how to solve this, but it is not an engineering problem. It has a lot of engineering-based solutions, but it can only be solved by a multifunction approach including engineering, service, product management, and the commercial side."
FDA has responded to cybersecurity concerns like these with formal guidance, and cybersecurity is one of the reasons the agency wants to modernize its 510(k) clearance pathway.
AdvaMed has also adopted a set of five principles aimed at helping medical device companies and healthcare organizations mitigate cybersecurity threats. In short, these include: addressing cybersecurity risk from device conception through disposal; an understanding that medical device cybersecurity is a shared responsibility, implementing coordinated disclosure policies; participating in information sharing programs; and having standards and regulations developed collaboratively among all relevant stakeholders.