On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions. This guidance comes at a critical time as the healthcare industry is a prime target for hackers. On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities. Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware. Many experts are also projecting that more cyber-attackers will target devices in 2019.
The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks. Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices. However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation. As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.
There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT. Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components. These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.
The FDA guidance addresses a number of key areas of risk. In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices. For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data. Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety. Finally, a number of devices are vulnerable to malware without the ability to apply security patches.
To reduce risk, there are several measures that can be implemented to enhance device security. For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties). As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.
EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.