FDA guidelines for medical device cybersecurity call for all-out fight vs. hacking

If you want to prevent computer hackers from attacking medical devices, it's not enough to just design the best device you can before shipping it out the door.

Preventing cyberattacks in today's fast-changing wired world also requires med-tech companies and hospitals to continually look for problems in existing devices, and to communicate early and clearly when potential risks emerge, federal regulators say.

"Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, life cycle approach that begins with early product development and extends throughout the product's life span," wrote Dr. Suzanne Schwartz, an associate director with the Food and Drug Administration's medical device division, on the official FDA Voice blog.

The FDA finalized a long-awaited set of guidelines last week on cybersecurity precautions for "postmarket" medical devices — devices that are already FDA approved, including those already sitting on hospital floors or inside patients' bodies.

The FDA's 30-page guidance strongly recommends device makers use active surveillance and threat-assessment tools to judge the likelihood that a new cybervulnerability affecting an older device will harm patients. If the severity of potential patient harm is high, but no patient has yet been hurt, the FDA wants device makers to inform their customers and users about the problem within 30 days, and come up with a fix in 60 days.

"I think the FDA is trying their hardest to encourage industry to adopt good practices when it comes to ­cybersecurity," said Ken Hoyme, a longtime Minnesota med-tech cybersecurity researcher who recently became Boston Scientific's director of product security.

At Minnesota-run Medtronic, cybersecurity is addressed proactively during the design stage and on an ongoing basis in the postmarket. The challenge is to add security features while still retaining the usability of the device, the company says.

The explosion in wireless communication capability in medical devices has brought advantages in patient health and clinical efficiencies, but it also enables computer hackers to attack devices ranging from pacemakers to personal insulin pumps to hospital drug-infusion machines.

In August, Minnesota-based St. Jude Medical denied reports from a short-selling firm that thousands of the company's pacemakers and implantable defibrillators were unusually vulnerable to hacking because of flaws in the systems used to communicate with the devices at home and in the doctor's office. St. Jude has denied the allegation and sued the short-sellers for defamation, while the critics stand behind their statements.

In October, Johnson & Johnson publicly acknowledged a security vulnerability in its Animas OneTouch Ping insulin pump that would allow a hacker to gain control of the device and remotely cause it to overdose a patient with insulin. The company said the possibility of someone exploiting the vulnerability was low, but it also gave anxious users options to turn off the device's wireless capabilities or limit maximum doses.

In 2015, the FDA issued an unprecedented warning for hospitals to stop using Hospira's Symbiq Infusion System because a hacker could access the drug pump through a hospital network and change the dosage settings.

Meanwhile hospitals, like businesses everywhere, are being increasingly targeted by "ransomware" hackers who encrypt vital files on an network and then demand money to release the data. A handful of hospitals acknowledged such attacks in 2016, but cybersecurity consulting firm NTT Security says health care is one of the most frequently targeted sectors by ransomware in the U.S. economy.

Ransomware is typically distributed to hospitals through familiar e-mail "phishing" attacks, but cybersecurity experts say unguarded data ports and hard-coded passwords in some medical devices may offer hackers enticing entry points into a hospital network to leave malicious code or eavesdrop on network traffic.

Such risks might induce anxiety among patients, but device companies and cybersecurity researchers note there has never been a documented case of a malicious hacker compromising a medical device with the intent to hurt a patient. Hackers may be more interested in siphoning valuable data from the hospital. NTT Security says health care records on the black market can fetch between $40 to $50 apiece, compared to $1 to $2 for a stolen banking record.

Yet the FDA says the potential to cause physical injury to a patient should be the key consideration when device companies evaluate how to respond to emerging cyber-risks for ­postmarket devices.

If a cyber-risk appears to pose a "sufficiently low" probability of leading to patient harm, then med-tech companies are encouraged to push out software patches and add additional security controls, and then notify the FDA of the changes in an annual report about device performance.

If the risk of physical harm to a patient is considered "uncontrolled," manufacturers should address the problem as quickly as they can and communicate with regulators, hospitals and users about it. The new guidelines say the FDA may waive some requirements for reporting device corrections if companies tell customers and users about the problem no later than 30 days after learning of it, and then issue a validated fix within 60 days, among other requirements.

"In the absence of remediation, a device with uncontrolled risk of patient harm may be considered to have a reasonable probability that use of, or exposure to, the product will cause serious adverse health consequences or death," the FDA guidelines say. "The product may be considered to be in violation of the (Food, Drug and Cosmetic) Act and subject to enforcement or other action."

Dr. Steven Bradley, a Minneapolis cardiologist, said there are benefits and risks from networked devices. "There's a lot of opportunity to improve the quality of care that we provide by leveraging that interconnectedness. But it also presents risks."