There is growing concern among patients and regulators that medical devices, especially implantable electrophysiology (EP) devices with wireless capabilities, are vulnerable to cyber attack. While there are no known instances of a hacker accessing and manipulating a patient’s implanted device, this fear was raised publicly in August 2016 when the financial investment firm Muddy Waters reported specific vulnerabilities with St. Jude Medical’s (SJM) EP devices. This was followed in December with the U.S. Food and Drug Administration (FDA) announcing its plans to set regulatory guidance to ensure that medical devices are secure from cyberattack. This includes tightening security on cardiac implantable EP devices where a hacker could potentially have a direct impact on a patient’s safety, including pacemakers, implantable cardioverter defibrillators (ICDs) and cardiac resynchronization devices (CRTs).
The ability of healthcare to safeguard patient data stored in their medical records from cyberattack has not offered much confidence, with vast numbers of patients' data being accessed by hackers each year. According to the U.S. Department of Health and Human Services Office for Civil Rights, the largest healthcare data breaches between 2015-2016 accounted for more than 127 million patient records being compromised, mostly by deliberate cyberattacks.
In April, the FDA sent a harsh warning letter to Abbott/SJM (Abbott acquired SJM in January 2017) blasting the company for failure to address several issues with its implantable EP devices. This included failure to adequately protect patients with implanted EP devices from cyberattacks.
However, Abbott/SJM has said other EP device manufacturers are having similar cybersecurity vulnerabilities with their EP devices. The SJM vulnerabilities cited in the third-party report in August 2016 specifically concerned the Merlin@home wireless monitoring system. However, all newer generation EP devices sold by Abbott/SJM, Medtronic, Boston Scientific and Biotronik now use similar wireless connections between the implanted devices and a base station unit at the patient’s bedside. These systems allow the device to automatically connect while the patient is sleeping so it can upload data to the manufacturer’s remote EP device patient monitoring systems. The systems automatically notify the patient’s physician if there is a problem with the patient’s cardiac health or with the device itself. While these systems have been shown to improve patient safety and monitoring, the wireless connectivity of these systems is said to be vulnerable to hackers, similar to hackers being able to use public Wi-Fi networks to infiltrate connected users’ computers.
Because Abbott/SJM has been at the center of the medical device cybersecurity discussion, the company sponsored a continuing education credit dinner program at the Heart Rhythm Society (HRS) 2017 meeting. The event included a panel of cybersecurity experts who explained the issues healthcare is facing and offered some ideas on how to combat the threats.
Connecting the Healthcare Enterprise Opens the Door to Cyberattacks
Healthcare IT cybersecurity measures rank well below other industries, said Beau Woods, deputy director, Cyber Statecraft Initiative, one of the panelists at the HRS event. He said healthcare is way behind other industries in adopting IT systems to eliminate paper records and automate processes digitally. However, this has also left them with little experience in cybersecurity as they connect IT systems for entire hospitals or entire health systems into one big enterprise network to boost efficiency.
“We want to fix big problems in healthcare by connecting everything, but it also creates a vulnerability that can be exploited by a hacker,” Woods said.
He said an excellent case study of what can happen when you connect everything together and do not work out all the cybersecurity details is the first healthcare system ransomware attack on Hollywood Presbyterian Hospital in Los Angles. It was one of the first hospitals to suffer a big ransomware attack on an electronic medical record (EMR), which locked everyone out of the the system's data for a week before paying a $17,000 ransom to restore access. Woods said the ransomeware found its way into the system via a soft drink machine that was connected to the hospital's IT network. He said it is possible other devices connected to hospital IT systems may pose similar security holes.
“Right now we don’t know about people going after implantable devices, but that is not to say that these devices will not be affected,” Woods said. “It is more likely that a computer virus will infect the implantable device monitoring network by chance or accident.”
While implantable devices have not yet been affected by cyber attacks, other medical devices have. Woods said the first case of a hacker shutting down medical devices due to a cyber security vulnerability were fetal monitors at a hospital. He said it was a malicious software programmed to steal credit card information, but it brought down a system used for patient care.
Use of White Hat Hackers to Find Vulnerabilities
One way to identify these security loopholes is to pay people to find them. In the software and IT industry, there are good and bad hackers. Woods said the good ones are referred to as “white-hat hackers” because they bring the vulnerabilities to the attention of companies so they can be fixed. For this reason, Woods said it is important for medical device makers to be open to anyone who wants to report cybersecurity vulnerabilities in their systems. In the software world, Woods said there is usually a “bug bounty” cash reward offered to hackers who bring security issues to vendors' attention.
“We can’t do this alone, it is absolutely critical we draw resources from the community,” said Suzanne Schwartz, M.D., MBA, assistant director for science and strategic partnerships, Center for Devices and Radiologic Health, U.S. Food and Drug Administration (FDA). “There is a need for more education and awareness in the healthcare industry, and what is important is that we protect patients from harm.”
Some medical device vulnerabilities have been identified by white-hat hackers and were fixed. Schwartz said one such hacker found an issue with a particular infusion pump maker’s system where a hacker could deliver an entire IV bolus at once and bypass the settings made by a nurse. She said the FDA worked with the vendor to fix the issue and pull the older infusion pumps with the vulnerability out of the market.
“I am much more concerned about an attack on infusion pumps than I am in ICDs or pacemakers because it would have more impact on patients and would be easier to access,” said Russel Jones, national co-leader, medical device safety and security, Deloitte Cyber Risk Services. “What we think is that there is someone with nefarious intent to harm patients, but what I usually see is more benign. It's usually a doctor who brings a thumb drive from their home computer, where their kid accidentally downloaded malware, and it infects the hospital’s computer system.”
He said the main danger in his eyes is malware causing devices to shut down as an unintended consequence. Jones explained there is no value for hackers to access medical devices or devices implanted in patients unless there is an easy financial payoff.
Addressing Patient Concerns About Their Devices Being Hacked
While cybersecurity of medical devices is largely an academic discussion, no known deliberate attacks having yet been made, the real concern is patient perceptions. If a patient does not feel safe having a device implanted because of concerns about hackers, they may decide not to get a potentially life-saving therapy, or not want the device connected to remote monitoring systems, said William Murray, MDIC, president and CEO, Medical Device Innovation Consortium. He explained this was a concern from one VA hospital doctor he worked with, who said patients have elected not to have their EP devices connected to the web. He said some veterans perceived a very real cybersecurity threat and also fear “Big Brother” will be watching them.
To address these concerns, Murray suggested medical devices should have a safety mode to prevent them from being hacked from an outside threat. This could be used for patients who are apprehensive about connecting their device to wireless base monitors, or in case a future device attack takes place so devices can be disconnected from the web.
Woods said the question in patient conversations should not be a list of hypothetical “what-ifs,” but should be flipped so there is discussion on what is being done to prevent cybersecurity issues in these devices.
The Future of Healthcare Depends on Data Security
“The future of healthcare is virtual — 80 percent of care in the next 10 years will be virtual care, not brick-and-mortar hospitals,” said Leslie Saxon, M.D., executive director of the University of Southern California Center for Body Computing. She predicts healthcare will soon move sharply toward the use of smartphone technologies, autonomous sensors that are either worn or implanted in patients to monitor their health, and care via telemedicine.
“We need to be able to present the future of connected healthcare, but we need to do it in a way that will not scare the public,” she explained. “The future of healthcare is about software and devices, so this is an issue that keeps me up at night.”
She said the public has major concerns about their healthcare being discussed and shared over the web, or the possibility of cyberattacks on their providers exposing their financial information, Social Security numbers and other personal information. There is also concern that hacking into wireless devices implanted inside patients may have a direct impact on patient safety. Saxon noted when the Muddy Waters report came out, the investors reacted and SJM’s stock price immediately dropped 4 percent.
Jones said a big question in the coming years might be at what point does cybersecurity risk become a regular risk factor physicians need to discuss with their patients when they are considering an implantable device therapy.
FDA Wants to Regulate Medical Device Cybersecurity
Last December, the FDA issued a guidance document entitled "Post-market Management of Cybersecurity in Medical Devices,” (Part 806 (21 CFR part 806)) with the aim of getting device vendors on the same page for cybersecurity. The guidance clarifies FDA's post-market recommendations with regards to addressing cybersecurity vulnerabilities and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the post-market management of their medical devices.
In May, the FDA, in association with the National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) hosted a public workshop entitled “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” The purpose was to examine how the FDA can collaborate with healthcare and public health (HPH) stakeholders. They worked to identify regulatory science challenges, discuss strategies to address those challenges, and encourage proactive development of analytical tools, processes and best practices to strengthen medical device cybersecurity. The goal was to create a framework to address the cybersecurity regulatory science gaps. This will include collaborative research conducted between federal agencies such as NSF, DHS, S&T, academia, medical device industry and third-party experts.
Schwartz stressed healthcare needs to foster an environment of quality assurance for cybersecurity, just as it does for other areas of patient safety. She also said manufacturers can make changes to devices to address cybersecurity vulnerabilities without the FDA’s approval. Schwartz said most medical device software changes made solely to strengthen cybersecurity do not require pre-market review or a product recall.
Related Healthcare Cybersecurity Content:
1. U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed Aug. 15, 2017.