On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack.

The current announcement is reflective of the interest of NIST and the Food & Drug Administration (“FDA”), the primary regulatory agency for medical devices, within the so-called Internet of Things (“IoT”).  Thus, NIST, through its National Cybersecurity Center of Excellence, will accept proposals up to  June 8, 2018, for “products and technical expertise” relevant to the creation of guidelines for securing data used by Picture Archiving and Communication Systems (“PACS”). NIST will attempt to harmonize the requirements for patient imaging devices with NIST’s overall cybersecurity framework.

The proposed project will examine the specific uses and regulatory requirements for patient imaging devices, and how those varying considerations apply to the use of the NIST cybersecurity framework. As the NIST project summary notes PACS are regulated by the FDA as “class II” devices that provide one or more functions related to the “acceptance, transfer, display, storage, and digital processing of medical images.”  These devices, which can be found in virtually every hospital, are not only vulnerable to cyber-attack in and of themselves, but NIST sees them as a “pivot point into an integrated healthcare information system.”

The current imaging device project follows last year’s release of draft guidelines for wireless infusion pumps, and evidences the government’s continuing concern, not only with the security of the IoT, but with specific reference to the vulnerable health care sector.

Epstein Becker Green routinely deals with questions related to medical device regulation and cybersecurity. For further information, you can contact Stuart Gerson, Adam Solander, Bradley Merrill Thompson or James Boiani.

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming executive order will reflect the Trump administration’s focus on improving the security of federal networks, protecting critical infrastructure, and establishing a global cyber strategy based on international law and deterrence, other policy demands have intruded. Indeed as the 100-day mark approached, President Trump announced that he has charged his son-in-law, Jared Kushner, with developing a strategy for “innovation” and modernizing the government’s information technology networks. This is further complicating an already arduous process for drafting the long-awaited executive order on cybersecurity, sources and administration officials say.

The Importance of NIST Has Been Manifested Throughout the Hundred Days

The expected cyber order likely will direct federal agencies to assess risks to the government and critical infrastructure by using the framework of cybersecurity standards issued by the National Institute of Standards and Technology, a component of the Department of Commerce.

The NIST framework, which was developed with heavy industry input and released in 2014, was intended as a voluntary process for organizations to manage cybersecurity risks. It is not unlikely that regulatory agencies, including the Office of Civil Rights of the Department of Health and Human Services, the enforcement agency for HIPAA, will mandate the NIST framework, either overtly or by implication, as a compliance hallmark and possible defense against sanctions.

NIST has posted online the extensive public comments on its proposed update to the federal framework of cybersecurity standards that includes new provisions on metrics and supply chain risk management. The comments are part of an ongoing effort to further revise the cybersecurity framework. NIST will host a public workshop on May 16-17, 2017

Health Industry Groups Are Urging NIST to Set up a ‘Common’ Framework for Cybersecurity Compliance

Various health care industry organizations including the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have asked NIST to help the industry develop a “common” approach for determining compliance with numerous requirements for protecting patient data. Looking for a common security standard for compliance purposes, commenters also argue that the multiplicity of requirements for handling patient data is driving up healthcare costs. Thus, the groups urge NIST to work with the Department of Health and Human Services and the Food and Drug Administration “to push for a consistent standard” on cybersecurity. One expects this effort, given strong voice in the First Hundred Days, to succeed.

The Federal Trade Commission is Emerging as the Pre-eminent Enforcement Agency for Data Security and Privacy

With administration approval, the Federal Communications Commission is about to release today a regulatory proposal to reverse Obama-era rules for the internet that is intended to re-establish the Federal Trade Commission as the pre-eminent regulatory agency for consumer data security and privacy. In repealing the Obama’s “net neutrality” order, ending common carrier treatment for ISP and their concomitant consumer privacy and security rules adopted by the FCC, the result would be, according to FCC Chairman Pai, to “restore FTC to police privacy practices” on the internet in the same way that it did prior to 2015. Federal Trade Commission authority, especially with regard to health care, is not without question, especially considering that the FTC’s enforcement action against LabMD is still pending decision in the 9th Circuit. However, the FTC has settled an increasing number of the largest data breach cases The Federal Trade Commission’s acting bureau chief for consumer protection, Thomas Pahl, this week warned telecom companies against trying to take advantage of any perceived regulatory gap if Congress rolls back the Federal Communications Commission’s recently approved privacy and security rules for internet providers.

OCR Isn’t Abandoning the Field; Neither is DoJ

While there have been no signal actions during the First Hundred Days in either agency. The career leadership of both has signaled their intentions not to make any major changes in enforcement policy.  OCR is considering expanding its policies with respect to overseeing compliance programs and extending that oversight to the conduct off Boards of Directors.

The Supreme Court Reaches Nine

Many would argue that the most important, or at least most durable, accomplishment of the Trump Administration to date is the nomination and confirmation of Neil Gorsuch to the Supreme Court. Justice Gorsuch is a conservative in the Scalia mold and is expected to case a critical eye on agency regulatory actions. There is no cybersecurity matter currently on the Supreme Court’s docket, but there will be as the actions and regulations of agencies like the FTC, FCC and DHHS are challenged.

The Food and Drug Administration (“FDA”) recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”

Officials from FDA, the Department of Health and Human Services (“HHS”), and the Department of Homeland Security (“DHS”) will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device cybersecurity.

CDRH OFFICIAL: BE AWARE OF DEVICE RISKS

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA Security

In her presentation “Medical Devices: A Practical Guide for Securing Patient Data“, Dr. Schwartz, from the FDA Center for Device and Radiological Health, emphasized the need for a collaborative approach in the medical device ecosystem to ensure security. Because most of the millions of hospital discharges, hospital outpatient visits, physician office visits and prescriptions in the US involve networked medical devices, Dr. Schwartz indicated that securing these devices is of the utmost importance for both regulatory and practical purposes.

MEDICAL DEVICES HAVE INHERENT VULNERABILITIES

Dr. Schwartz noted that as medical devices become increasingly connected through wireless and wired networks, it is critical to ensure adequate controls are in place on the network. Computers, wireless and mobile devices, and the medical devices themselves can be infected or disabled with malware. Security vulnerabilities also exist in the form of sharing of passwords, lack of proper training for personnel, and failure to update and patch software on the network.

Several medical devices have already been compromised in the past few years. For example, researchers demonstrated in 2013 that about 300 medical devices from around 40 vendors contained hard-coded passwords, making them highly vulnerable. In 2011, a hacker presented his findings related to his own insulin pump, which could easily be compromised and the pump’s levels remotely changed to a lethal dose.

FDA OFFERS STANDARDS, GUIDANCE

FDA has recognized standards for cybersecurity and interoperability as well as wireless technology in medical devices. Additionally, on October 2, FDA released final guidance, on the content of premarket submissions for medical device cybersecurity.  Those of you who are familiar with the draft guidance should note that the final guidance is substantially similar to the draft guidance with some additional emphasis on balance, emphasizing that security should not unreasonably limit the ability to use a device in emergency situations.

For those who are not familiar with the draft guidance, the final guidance describes the information that manufacturers should include in their premarket submission.  It recommends medical device manufacturers consider the following as part of their cybersecurity activities:

  • Identify and protect by limiting access to trusted users and ensuring trusted content;
  • Implement features to detect security compromises
  • Inform the end user about the appropriate action to take if a security compromise is detected
  • Protect critical functions, even in the event of a security compromise

Device stakeholders would do well to review these documents and ensure that they understand the steps they should take to meet these standards and comply with the HIPAA Security Rule.

WHAT STAKEHOLDERS SHOULD DO

There are a number of good steps which can be taken to reduce risk. Properly training all personnel is critical to avoid loss of devices, phishing attacks, and more. Ensuring that software is always the most up-to-date version is an easy and important measure to improve security. Additionally, segregating network functions will ensure that any compromise will not affect the entire universe of networked devices. New devices and software should be thoroughly inspected for potential security vulnerabilities before adding them to the network.

On top of those steps, healthcare entities should conduct regular risk assessments and network security audits. Crafting policies to comply with standards such as ISO-27001, COBIT 5, or the HITRUST Common Security Framework is a must.

Our colleagues Adam Solander and Ali Lakhani provide an update on the HIPPA Conference last week in Washington, DC. 

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

For the full post, please visit the TechHealth Perspectives blog.