Clinical Researcher—March 2018 (Volume 32, Issue 3)
When I think of cybersecurity, the images that come to mind are nefarious hackers trying to steal personal identification from credit companies, spies breaking into government data repositories as part of an elaborate espionage plot, or even Keanu Reeves plugging into the Matrix to overthrow an out-of-control artificial intelligence. I don’t immediately think of medical devices as the next cybersecurity threat. However, the tides are changing, and cybersecurity is something that we in the device industry should get out in front of.
One thing’s for sure—computer technology continues to play a critical and growing role in the medical device industry. Trade shows like the Heart Rhythm Society Annual Meeting are full of row upon row of booths displaying devices that range from small, wearable heart monitors to implantable defibrillators—all run and monitored by software that is very likely tied to a network of some kind. Any medical device that is on a network and sends, receives, or stores information can be a target for parties who want that information in bad faith.
Why Disrupt Devices?
Does it seem likely that someone would go through the trouble to hack into an insulin pump to administer someone a lethal dose? Probably not. However, if ransomware can be used to hold someone’s credit card information hostage until they pay a “fee” to have it released, how long before the hackers figure out they could probably get a lot more ransom by holding life-saving information or treatment hostage?
While the likelihood of someone hacking into a defibrillator is low, the result of such an action would be serious in the extreme. This is something medical device companies are being forced to consider as they struggle with the high-tech problems that go with their high-tech products.
What Can be Done?
Medical device companies aren’t the only ones who have this on their mind; the U.S. Food and Drug Administration (FDA) and the European Union Agency for Network and Information Security (ENISA) has been thinking about it, too. The FDA issued guidance documents for management of cybersecurity in both pre- and post-market settings. The pre-market guidance document, issued in December 2014, recommends a proactive approach in thinking about cybersecurity, and includes a four-point list of cybersecurity information to include in pre-market submissions for applicable devices.1
The FDA recommends the inclusion of information on the following considerations:
- Device Description—This should include discussion of each externally facing electronic interface on the devices, its purpose, and indicated use and/or limitations.
- Risk Analysis—Including risks associated with interoperability, potential misuse, and foreseeable combinations of events that could cause potential issues with patients.
- Verification and Validation—Covering details of the verification and validation testing for all device interfaces.
- Labeling—Documentation of the device’s intended use for safety and efficacy. The labeling should be compliant with FDA’s regulatory requirements on labeling of medical devices.2
The post-market guidance document, issued in December 2016, again notes the threat that networked medical devices face and encourages manufacturers to think about how they will approach the issue throughout the product’s life cycle.3 Evaluation of cybersecurity risk for devices is largely dependent on the impact on patients if exploitation occurred, and whether that risk is sufficiently controlled.
The post-market guidance offers recommendations on how to asses this risk based on likelihood of exploit, the impact of exploit on patient safety and device performance, and severity of patient harm if exploited. Guidance is provided for when updates made to protect against potential risks need to be reported, plus the document provides a list of what the FDA considers to be critical components of a robust cybersecurity risk management program. A cybersecurity risk management program should include assessment of the exploitability of the cybersecurity vulnerability, assessment of the severity of patient harm, and evaluation of the risk of potential patient harm.
As medical devices become more technologically advanced and the use of consumer devices to monitor one’s health continue to grow, the issue of cybersecurity will continue to be one that developers, contract research organizations, and clinical trial sites are forced to consider and address in order to adhere to FDA guidance and protect patient information and safety. While hacking into a medical device may not seem as appealing to criminals as, say, hacking into the Pentagon, it is the responsibility of device researchers to be prepared if the “bad guys” decide to turn their attention to this sector.
Eric Distad (firstname.lastname@example.org) is Executive Director for Medical Device and Diagnostics with Syneos Health.