Cybersecurity considerations have been part of designing an effective Good Manufacturing Practice (GMP) network since the FDA issued its first computerized validation guidance in the 1980s. With FDA’s renewed interest in ensuring data integrity at home and across the global supply chain, what is complicating the cybersecurity discussion today is exposure to threats that come from the interconnectivity that defines modern business. From laptops to smartphones to intelligent car consoles, securing proprietary or sensitive data has never been more difficult. With systems designed to promote connectivity, the threat profile today is changing as fast as the sophistication of our electronic devices.
The rising tide of ransomware attacks targeting hospitals reveals a threat that goes beyond protecting data from theft, as crypto-extortion can affect data in place. Hackers already exploit inherent vulnerabilities in health IT systems and medical devices, many of which run outdated and vulnerable software.
In August 2015, the FDA issued its first cybersecurity alert warning that older models of Hospira’s Symbiq infusion pump systems are vulnerable to illegal cyberattacks that could over- or under-dose patients remotely. While no patients were hacked, the FDA strongly urged hospitals and patients using the pump to transition to alternative models that had greater cybersecurity protection. A formal cybersecurity plan is a component of every Design History File today and is an expectation by FDA of any 510(k) or Pre-Market Approval (PMA) Submission.
The FDA’s final cybersecurity guidance issued last year outlines the risks:
“Manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks. Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis.”
The lingering threat to intelligent medical devices is compounded by the now-frequent ransomware attacks on healthcare and research organization networks. Ransomware is malicious software code that spreads like a virus to encrypt data on a server’s hard drive and block all access unless the user pays a ransom. Once companies are infected with ransomware, some law enforcement officials have publicly advised them to pay the ransom to unlock the data even though there are no guarantees of system recovery.1
The recent string of successful ransomware attacks on U.S. hospitals highlights the vulnerability of the sector. Ransomware places hospitals in a unique legal position when, technically, HIPAA protected data has not been breached. Hospitals are less inclined to report such attacks as HIPAA violation breaches, because they can incur a hefty financial penalty for every compromised record. In 2015, the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services published that 253 healthcare data breaches had affected nearly 112 million health records — nearly 35 percent of the U.S. population.
Extending the threat of ransomware from hospital data networks to medical devices, the risk to individuals using intelligent devices is tangible. Implantable medical devices such as defibrillators, pacemakers, and insulin pumps that use radio frequencies (RF) to program and control the devices over the air are certainly at risk if patient or caregiver access can be denied. Intelligent drug delivery systems that regulate frequency and dose delivery are equally vulnerable.
Standards and security
GMP systems are predicated on the presence of baseline standards, yet there are no specific standards for ransomware currently. Within the International Electrotechnical Commission (IEC), a cybersecurity standard — IEC 62443 — is emerging as a series that can be used for designing system security. In January 2016, the FDA issued its draft guidance on Post-Market Management of Cybersecurity in Medical Devices. The guideline heavily relies upon a primary guidance, A Framework for Improving Critical Infrastructure Cybersecurity, issued by the National Institute of Standards and Technology (NIST) in 2014.2 However, it does not provide any mandatory requirements for device manufacturers.
Still, in 2013 the FDA announced its intent to develop a special lab utilizing a software testing technique described as “fuzz testing.” The fuzzing tool called “Codenomicon Defensics” is a powerful software testing platform that enables developers and asset owners to proactively discover and remediate unknown vulnerabilities in software and devices, by massive inputting of data.3 With the cybersecurity landscape in rapid change, it remains to be seen how the FDA will implement such testing as part of the approval process for intelligent devices in the future.
References
1. Joseph Bonavolonta, Assistant Special Agent of the FBI’s CYPER and Counterintelligence Program, Boston. The Security Ledger, Oct. 2015
2. Framework for Improving Critical Infrastructure Cybersecurity issued by The National Institute of Standards and Technology: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
3. Codenomics Defensics, http://www.codenomicon.com/products/