How can manufacturers improve responses to medical device cybersecurity vulnerabilities?
Medical devices present a great cybersecurity challenge, given their closeness to confidential patient data, not to mention the patients themselves. To compound the issue, a single medical device can have a lifespan of up to 20 years due to a lack of funding and personnel to update them on a regular basis (1). For this reason, many devices often run on obsolete operating systems or have vulnerabilities that have gone unpatched.
These issues cause complications in confronting the threat already posed by hackers who use ingenious methods to compromise medical devices. One such method is monitoring a network with connected medical devices and studying the error messages they generate during normal operation. By leveraging the sensitive software and hardware information the errors often show, hackers can launch a focused attack on those devices (2).
To protect medical devices against these threats, there is a need for an efficient process, involving all stakeholders, to identify and address security gaps. Steps have been made toward this ideal, starting with the FDA cybersecurity guidance. Since its release in 2016, the number of cybersecurity advisories disclosed has been increasing and is projected to double this year, compared to 2017 — with nearly half of them categorised as critical or high (3).
While it is fortunate that there are improvements being made in how medical device cybersecurity concerns are handled, the healthcare industry still lags behind other sectors in this regard.
The number of medical device advisories is projected to double in 2018 (3).
Since the release of the FDA guidance, the amount of critical and medium level disclosures have increased significantly (3).
Identifying where improvements should be made
A recent example of a slow response to a vulnerability is a Fortune 500 medical device company that came under intense scrutiny for its mishandling of product vulnerabilities. The latest concerned the company’s portable computer system, which is used to program and manage cardiac devices and runs on the outdated Windows XP operating system (4).
Researchers from a cybersecurity firm showed that it was possible to hack the device with a fake software deployment network and gain control of any connected devices. This allowed attackers to, for example, remotely disable an implantable insulin pump or take control of a pacemaker system to deliver malware directly to the computers implanted in a patient’s body (5).
The researchers had first reported the exploit to the manufacturer 570 days before its public announcement (5). While the company initially downplayed the risk, it later acknowledged that its response was lacking and pledged to hasten the evaluation and reporting of risks to authorities. Since then, it has released four advisories and an update to its advisory concerning the computer system (5).
A second example is of a different Fortune 500 company’s terminal server that provides administration capabilities to a variety of bedside medical devices connecting to hospital networks. The server uses a web management interface based on RomPager, an embedded web server product commonly use in Internet of Things devices, which has been known to be vulnerable to an exploit called “Misfortune Cookie” (6).
A healthcare cybersecurity research group discovered Misfortune Cookie in the terminal server and found that the exploit can create an arbitrary write to the memory without authentication, letting attackers login without credentials, gain administrator-level privileges, or crash the system — harming server availability and the network connectivity of linked medical devices.
The FDA’s 2016 cybersecurity guidance aimed to mitigate similar cyber security threats by placing emphasis on collaboration between stakeholders. In the case of the terminal server, the manufacturer’s response to the vulnerability follows the FDA’s guidance, where after being notified by the cybersecurity firm, it worked to validate the vulnerability, notify customers, and provide a workaround and an update to the device’s firmware.
While the response was commendable, Misfortune Cookie was publicly known for at least four years before its discovery in the server, showing that there is still room to improve the rate at which vulnerabilities are found and addressed (6). The full details regarding the impact of this vulnerability can be found in this advisory.
Take action to ensure security of your device
To enhance the safety of medical devices, the FDA plans to take actions to provide a robust regulatory framework. The agency has requested additional authority from the United States Congress to require manufacturers to make their devices patchable and to have hospitals set up programs for security researchers to contact them when a vulnerability is found (1). The FDA also has plans to set up a CyberMed Safety Analysis Board in the 2019 fiscal year to provide oversight for digital risks, which can include investigating suspected incidents of compromise, assessing vulnerabilities and adjudicating disputes (1,7).
At ICON, we recommend the use of a cybersecurity vulnerability assessment tool to alert manufacturers of a device’s risks. Our cybersecurity experts can assist in the development of programs that proactively control risks and stay on top of vulnerabilities as they arise. To learn more, please contact us at www.iconplc.com/devices
References
- Janofsky A. FDA Plans Cybersecurity ‘Go-Team’ to Strengthen Medical Devices. Wall Street Journal, April 24, 2018.
- Helpnet Security. Hackers are finding creative ways to target connected medical devices. September 28, 2018.
- Medcrypt. What Medical Device Vendors Can Learn From Past Cybersecurity Vulnerability Disclosures. August 16, 2018.
- Hern A. Hackable implanted medical devices could cause deaths, researchers say. The Guardian, August 9, 2018.
- Carlson J. Scrutiny continues as Medtronic acknowledges cybersecurity issues with its medical devices. Star Tribune, August 15, 2018.
- Med Tech Innovation. Cyber-security vulnerabilities identified in two major medical devices. August 31, 2018.
- McGee M. The FDA's New Digital Health Cyber Unit: What Would It Do? GovInfo Security, September 27, 2018.
In this section
-
Digital Disruption
- AI and clinical trials
-
Clinical trial data anonymisation and data sharing
-
Clinical Trial Tokenisation
-
Closing the evidence gap: The value of digital health technologies in supporting drug reimbursement decisions
-
Digital disruption in biopharma
-
Disruptive Innovation
- Remote Patient Monitoring
-
Personalising Digital Health
- Real World Data
-
The triad of trust: Navigating real-world healthcare data integration
-
Patient Centricity
-
Agile Clinical Monitoring
-
Capturing the voice of the patient in clinical trials
-
Charting the Managed Access Program Landscape
-
Developing Nurse-Centric Medical Communications
- Diversity and inclusion in clinical trials
-
Exploring the patient perspective from different angles
-
Patient safety and pharmacovigilance
-
A guide to safety data migrations
-
Taking safety reporting to the next level with automation
-
Outsourced Pharmacovigilance Affiliate Solution
-
The evolution of the Pharmacovigilance System Master File: Benefits, challenges, and opportunities
-
Sponsor and CRO pharmacovigilance and safety alliances
-
Understanding the Periodic Benefit-Risk Evaluation Report
-
A guide to safety data migrations
-
Patient voice survey
-
Patient Voice Survey - Decentralised and Hybrid Trials
-
Reimagining Patient-Centricity with the Internet of Medical Things (IoMT)
-
Using longitudinal qualitative research to capture the patient voice
-
Agile Clinical Monitoring
-
Regulatory Intelligence
-
An innovative approach to rare disease clinical development
- EU Clinical Trials Regulation
-
Using innovative tools and lean writing processes to accelerate regulatory document writing
-
Current overview of data sharing within clinical trial transparency
-
Global Agency Meetings: A collaborative approach to drug development
-
Keeping the end in mind: key considerations for creating plain language summaries
-
Navigating orphan drug development from early phase to marketing authorisation
-
Procedural and regulatory know-how for China biotechs in the EU
-
RACE for Children Act
-
Early engagement and regulatory considerations for biotech
-
Regulatory Intelligence Newsletter
-
Requirements & strategy considerations within clinical trial transparency
-
Spotlight on regulatory reforms in China
-
Demystifying EU CTR, MDR and IVDR
-
Transfer of marketing authorisation
-
An innovative approach to rare disease clinical development
-
Therapeutics insights
- Endocrine and Metabolic Disorders
- Cardiovascular
- Cell and Gene Therapies
- Central Nervous System
-
Glycomics
- Infectious Diseases
- NASH
- Oncology
- Paediatrics
-
Respiratory
-
Rare and orphan diseases
-
Advanced therapies for rare diseases
-
Cross-border enrollment of rare disease patients
-
Crossing the finish line: Why effective participation support strategy is critical to trial efficiency and success in rare diseases
-
Diversity, equity and inclusion in rare disease clinical trials
-
Identify and mitigate risks to rare disease clinical programmes
-
Leveraging historical data for use in rare disease trials
-
Natural history studies to improve drug development in rare diseases
-
Patient Centricity in Orphan Drug Development
-
The key to remarkable rare disease registries
-
Therapeutic spotlight: Precision medicine considerations in rare diseases
-
Advanced therapies for rare diseases
-
Transforming Trials
-
Accelerating biotech innovation from discovery to commercialisation
-
Ensuring the validity of clinical outcomes assessment (COA) data: The value of rater training
-
Linguistic validation of Clinical Outcomes Assessments
-
Optimising biotech funding
- Adaptive clinical trials
-
Best practices to increase engagement with medical and scientific poster content
-
Decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
Decentralised and Hybrid clinical trials
-
Practical considerations in transitioning to hybrid or decentralised clinical trials
-
Navigating the regulatory labyrinth of technology in decentralised clinical trials
-
Biopharma perspective: the promise of decentralised models and diversity in clinical trials
-
eCOA implementation
- Blended solutions insights
-
Implications of COVID-19 on statistical design and analyses of clinical studies
-
Improving pharma R&D efficiency
-
Increasing Complexity and Declining ROI in Drug Development
-
Innovation in Clinical Trial Methodologies
- Partnership insights
-
Risk Based Quality Management
-
Transforming the R&D Model to Sustain Growth
-
Accelerating biotech innovation from discovery to commercialisation
-
Value Based Healthcare
-
Strategies for commercialising oncology treatments for young adults
-
US payers and PROs
-
Accelerated early clinical manufacturing
-
Cardiovascular Medical Devices
-
CMS Part D Price Negotiations: Is your drug on the list?
-
COVID-19 navigating global market access
-
Ensuring scientific rigor in external control arms
-
Evidence Synthesis: A solution to sparse evidence, heterogeneous studies, and disconnected networks
-
Global Outcomes Benchmarking
-
Health technology assessment
-
Perspectives from US payers
-
ICER’s impact on payer decision making
-
Making Sense of the Biosimilars Market
-
Medical communications in early phase product development
-
Navigating the Challenges and Opportunities of Value Based Healthcare
-
Payer Reliance on ICER and Perceptions on Value Based Pricing
-
Payers Perspectives on Digital Therapeutics
-
Precision Medicine
-
RWE Generation Cross Sectional Studies and Medical Chart Review
-
Survey results: How to engage healthcare decision-makers
-
The affordability hurdle for gene therapies
-
The Role of ICER as an HTA Organisation
-
Strategies for commercialising oncology treatments for young adults
-
Blog
-
Videos
-
Webinar Channel