A growing number of IP-enabled medical devices are entering the market. Initially there was not much attention paid to the real world effects of this recent trend, but now with embedded software in many products, ranging from health tracking wristbands to cardiac monitoring undergarments, regulators and manufacturers are becoming increasingly concerned about the impact of poorly-secured devices. This concern is not new, yet it is very real– witness the flap in 2013 with former vice president Dick Cheney and his defibrillator.1
Internet-enabled medical devices and electronic databases for clinical and administrative operations, networked technology and greater connectivity may increase exposure to possible cybersecurity threats that require manufacturers, hospitals and other healthcare providers to evaluate and manage a new set of risks.
Connected medical devices—like other computer systems—can be vulnerable to security breaches and have a potential major impact on safety and effectiveness of the device. Specifically, in a healthcare environment, this vulnerability increases as medical devices and medical equipment are becoming more connected through the internet to other medical devices, patients and/or to hospital networks (also referred to as the Internet of Medical Things).
Recently, the FDA issued a safety communication, noting that cybersecurity vulnerabilities in St. Jude’s Medical implantable cardiac device could be a serious problem.2 As of the date of the notice, there had been no reports of patient harm related to any cybersecurity vulnerabilities. However, the government publicly acknowledged this specific type of threat for the first time.
St. Jude Medical recalled Implantable Cardioverter Defibrillators (ICD) and Cardiac Resynchronization Therapy Defibrillators (CRT-D) due to premature battery depletion. This transmitter uses a home monitor to transmit and receive RF signals wirelessly to the pacemaker. FDA found that this transmitter was vulnerable to attack, and noted in their press release:
“The FDA has reviewed the information concerning potential cybersecurity vulnerabilities associated with this transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the transmitter. The altered transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.”
Fortunately, according to the FDA, they have no evidence of any adverse events, including death as a result of the vulnerability yet. FDA also noted that St. Jude Medical issued a patch on January 9 that fixes the vulnerability and was quick to issue a statement and took the appropriate remediation actions by patching its systems against “highly unlikely medical device cyber risks”.
To address the cybersecurity threat, in December 2016 FDA issued Guidance on Postmarket Management of Cybersecurity in Medical Devices. The agency highly recommends that both hospitals and medical device manufacturers implement a proactive, comprehensive risk management program that includes:
Hospitals should make this program an integral part of their existing governance, risk management and business continuity framework. Manufacturers must also pay extra attention to this relatively new challenge and consider the impact on their existing procedures for quality and safety.
As internet-enabled medical devices and electronic databases for clinical and administrative operations continue to grow, so do their potential exposure to cybersecurity threats. From an IT perspective, connected medical devices can be subject to additional cybersecurity risks, including denial-of-service and patient data theft. Computer viruses and malware also have the potential to jeopardize a patient’s treatment and privacy.
A thorough and well thought out cybersecurity management policy is critical today for healthcare organizations and medical device manufacturers. Device manufacturers must consider cybersecurity, beginning with the design phase and throughout the product lifecycle, including the equipment and patients that will be connected to the device over a network. They should constantly include innovative improvements around privacy and security into their product design and development procedures. Individuals responsible for all IT systems and securing the embedded technology within devices should also make this a top priority.
The time to implement a proactive, comprehensive risk management program to eliminate cybersecurity threats is now.