While most eyes interested in cybersecurity for the past two weeks have been focused upon (and for good reason) the Equifax breach, the U.S. Food and Drug Administration (FDA) continued its pressure on medical device manufacturers to build security into product design — just as the U.S. Department of Homeland Security warned the medical community of eight vulnerabilities in Smiths medical wireless infusion pumps.
Let’s face it: building security into a product is certainly not a new concept. And while the software industry has fallen short, software makers have known for some time that the correct way to go is to develop software that is secure by design, secure in how it’s developed, and secure in how it’s deployed and managed in production.
Now, as software and network connectivity increasingly finds their way onto medical devices, the same need for secure development practices is more true than ever for medical implants and other devices. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, recently said that the FDA is dedicated to getting everyone in the medical device industry involved in these important efforts of securing medical devices.
The FDA is working to "foster a culture of continuous quality improvement," Healthcare IT News quoted Schwartz. Schwartz explained to the publication how the FDA has adopted advice from the National Institute of Standards and Technology (NIST) and to share information among the National Health Information Sharing and Analysis Center (NH-ISAC) about the security of medical device threats and vulnerabilities.
Medical device makers had better act fast when it comes to getting their act together. In late August, the FDA issued a recall of Abbott’s pacemakers. This voluntary recall involved the same pacemakers that made news earlier this year (and covered by Business Insights in St. Jude Takes Steps to Secure Vulnerable Medical Implants), that enabled attackers to drain the battery life and alter the software on the pacemakers.
These devices exist installed into the chests of patients — needless to say the required hospital trip to fix these types of software vulnerabilities are a much greater hassle — and much more dangerous — than a computer endpoint update and reboot.
The Abbott pacemakers require new firmware, and on August 29 the FDA issued the advisory Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication that said that
many medical devices, including St. Jude Medical's implantable cardiac pacemakers, contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA wrote.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the agency said.
That’s very scary stuff.
There are 465,000 of these devices implanted in the U.S. alone, according to the FDA. Fortunately, there’s no documented cases of harm coming from these vulnerabilities.
Earlier this year the FDA published a 30-page guide to help manufacturers not only identify flaws in products after they’ve shipped, but also work with bugfinders who identify flaws. As we wrote then, these are also two issues traditional software makers still find challenging, but have built processes that have improved their relationship and success with security researchers.
In the blog post announcing the guidance, the FDA detailed that medical device manufacturers should implement what it called “a structured and comprehensive program to manage cybersecurity risks.” This means manufacturers should, according to the FDA:
- Have a way to monitor and detect cybersecurity vulnerabilities in their devices
- Understand, assess and detect the level of risk a vulnerability poses to patient safety
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
- Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm
Now, in this latest advisory, the FDA recommends Health Care Providers:
- The FDA and Abbott do NOT recommend prophylactic removal and replacement of affected devices.
- Discuss the risks and benefits of the cybersecurity vulnerabilities and associated firmware update with your patients at the next regularly scheduled visit. As part of this discussion, it is important to consider each patient's circumstances, such as pacemaker dependence, age of the device, and patient preference, and provide them withAbbott's Patient Guide.
- Determine if the update is appropriate for the given patient based on the potential benefits and risks. If deemed appropriate, install the firmware update following the instructions on the programmer.
- For pacing dependent patients, consider performing the cybersecurity firmware update in a facility where temporary pacing and pacemaker generator can be readily provided.
- Print or digitally store the programmed device settings and the diagnostic data in case of loss during the update.
- After the update, confirm that the device maintains its functionality, is not in backup mode, and that the programmed parameters have not changed.
The firmware update process is detailed here.
From the same advisory, recommendations for patients and caregivers includes they:
- Consult with their physician(s) for determining when they should receive the update and if they have any questions or concerns about the vulnerabilities or the update. Their ongoing medical management should be based on their own medical history and clinical condition.
What an awful mess. Patients shouldn’t have to worry about cybersecurity tradeoffs in their medical devices, but perhaps that’s too much to ask. But it’s clear that none of us want to see anything equivalent to a monthly patch Tuesday to the devices that help keep our bodies functioning smoothly and healthily along. But I fear that is exactly where we are heading.