Tag Archives: cybersecurity

pexels-photo-289927

What The FDA’s Postmarket Management of Cybersecurity in Medical Devices Means for Manufacturers of Medical Devices

The FDA‘s guidance on “Postmarket Management of Cybersecurity in Medical Devices”[PDF] is a complementary document for the 2014’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF]. The 30 pages of the guidance contain detailed recommendations, and the manufacturers of medical devices need to study them thoroughly.

The guidance is consistent with the cybersecurity guidelines set by the U.S. Government for other industries such as power grids and financial organizations and aims to protect critical infrastructures from cyber threats. Since most of the medical device manufacturing is in the private sector, the guidance also aims to facilitate cooperation between the public and private actors in preventing and mitigating cyber attacks.

Key Highlights

#1. Medical devices: the guidance applies to medical devices containing software, firmware, programmable logic, as well as mobile medical devices and applications, and devices that are part of interoperable systems – the legacy devices already in use, or on the market.

The agency explains the scope of medical devices has increased to include any device that is connected to computer networks and can, therefore, be compromised.

#2. Patient Harm (IV): the guidance stresses the importance of risk-based assessments of cybersecurity vulnerabilities that could cause patient harm. Of note: Patient Harm replaces Essential Clinical Performance that was present in the draft version. Patient harm definition is aligned with ISO 14971.

Interestingly, the guidance excludes compromise of private data from the definition of patient harm and refers to HIPAA for privacy protection recommendations.

#3. Evaluation of Risk of Patient Harm (VI) is the key purpose of the cyber-vulnerability risk assessment that needs to define if the risk of patient harm is:

  • controlled/acceptable (low probability of an exploit harming patient health)
  • or uncontrolled/unacceptable (high probability of an exploit harming patient health).

The agency suggests a matrix to evaluate risk acceptability, involving:

  • the exploitability of the vulnerability
  • the severity of patient harm in case the vulnerability is exploited

Of special note here is the recommendation to adopt a vulnerability disclosure policy and recognize that mitigation changes may affect the device’s performance.

#4. Postmarket Considerations (V) section introduces recommendations to deploy robust cybersecurity risk management program throughout the entire product lifecycle. The FDA emphasizes that such programs must include:

  • Monitoring information sources (ISAO, customer complaints, service records) for news on new vulnerabilities and threats.
  • Deploying threat modeling to define how to maintain safety and essential performance.
    Implementing mechanisms for monitoring third-party software for emerging vulnerabilities during the device’s entire lifecycle; and design verification and validation for software updates and patches for vulnerabilities, including those in Off-the-shelf software.

The cybersecurity program needs to be comprehensive, systematic, thoroughly documented and in compliance with the Quality System Regulation (21 C.F.R. Part 820). NIST has a guidance on cybersecurity programs for manufacturers, and the FDA’s guidance contains an Appendix “Elements of an Effective Postmarket Cybersecurity Program.” It encompasses five elements -1) identify; 2) protect or detect; 3) protect/respond/recover; 4) mitigate risks to safety and essential performance.

#5. Maintaining Safety and Essential Performance (V) links cybersecurity risk management to safety, essential performance, threat modeling, and mitigation actions.

Controlled risks can be patched in a routine update. They fall under the “cybersecurity routine updates and patches” group. These patches are not considered as repairs and do not call for reporting under 21 CFR 806. If a manufacturer holds a PMA, an annual 21 CFR 814.84 report needs to mention the patch.

Uncontrolled risks must be patched as soon as possible in the form of a patch, update or a temporary “fix” (for example, disabling the Internet connectivity). It is advisable to start with a quick temporary fix to ensure patient safety, and then proceed with a permanent patch in cases when a permanent patch takes some time to design and deploy. Manufacturers must report these fixes to the FDA (21 CFR part 806).

#6. Reporting exceptions. The FDA waives the 21 CFR 806 reporting if the three requirements are met:

  • No deaths or other serious adverse events happened due to the vulnerability.
  • The manufacturer has notified users of an available fix (temporary or permanent) no later than 30 days of learning of the vulnerability. The manufacturer has instructed the users on how to apply the fix.
  • No later than 60 days after learning about the vulnerability, the manufacturer fixes it, validates the change and distributes the patch. The manufacturer should follow-up with end-users after the distribution of patch.
  • The manufacturer is a member of an ISAC/ISAO.

#7. Criteria for Defining Active Participation by a Manufacturer in an ISAO (IX) urges the manufacturers to participate in the Information Sharing Analysis Organization.

ISAO/ISAC – Information Sharing & Analysis Committee/Organization, non-profit, industry-specific organizations created to let the members share knowledge about data security. Members of these organizations have a few legal exemptions that apply to the information they share. NH-ISAC is an ISAC, where the National Healthcare organization is a partner.

#8. Impact on Industry

The basic principles of NIST framework must be adopted in the manufacturers’ cybersecurity program. Take into account medical device cybersecurity throughout the entire product lifecycle. Pre-market, manufacturers should incorporate cybersecurity management inputs and design an approach that would determine:

  • Assets and vulnerabilities;
  • How threats/vulnerabilities may cause Patient Harm;
  • The likelihood of threats;
  • Risk levels based mitigating promptness and strategies;
  • Residual risk assessment, and risk acceptance criteria.

Manufacturers must define the risk of patient harm, identify the cybersecurity vulnerabilities of their devices, assess and classify the existing risks and engage in remediation. A proper documentation of the process is expected.

Health IT community must engage in better information sharing. The FDA encourages the medical device manufacturers and the health IT community as a whole to collaborate closer in ISAO and ISAC to facilitate threats identification and remediation. The FDA Center for Devices and Radiological Health (CDRH) also encourages the fostering of ISAOs and the role of NH-ISAC. The manufacturers of medical devices should consider joining an ISAC to:

  • Have access to information and intel about the cyber threats.
  • Be exempt from some reporting requirements under 21 CFR 806 (uncontrolled risks).
  • Have access to the community where manufacturers can share information exempt from regulatory use and civil litigation, and the federal Freedom of Information Act, given the data shared meets the requirements of the Critical Infrastructure Information Act.

Manufacturers must understand and comply with the mandatory reporting requirements under 21 CFR 806. One of the most complex points since reporting is difficult to draft and apply and raises concerns about proprietary data protection.

Summary

The FDA has been explicit that manufacturers must deploy the comprehensive cybersecurity and risk analysis – over the entire lifecycle of a medical device. The primary focus of the analysis is the risk of patient harm. The guidance includes legacy and mobile devices in the scope of medical devices, recognizing that connectivity increases the chances of a device compromise.

The good news is the reduced reporting to the agency in certain cases, and ways to disclose vulnerabilities without assuming a litigation risk.

At this point, manufacturers should acknowledge the FDA’s increasing attention to cybersecurity, and take these recommendations as seriously as possible. As medical devices become more connected and smart than ever, we can expect that some of the recommendations, if not most, could become mandatory in the foreseeable future.

How Hackers Can Infiltrate Networked Medical Devices

How Hackers Can Infiltrate Networked Medical Devices

Until fairly recently the medical community was not aware of the fact that there are hackers out there who have the ability to infiltrate a hospital’s medical devices and exploit the data contained in them for profit or for other purposes. Even though these devices tend to be protected using a firewall, they are still highly vulnerable to potential hacker attacks.

What’s more, the number of devices used in hospitals has been growing for decades. Roughly 20 years ago, there was just one medical device for a single patient, on average. Today, there are approximately 10 to 15 devices per bed. In total, in the United States alone, the estimates total number of such devices is between 10 and 15 million. When a hacker is capable of infiltrating one such a device or hospital, that person has the ability to do the same with other hospitals, too, as they often use the same type of equipment.

So the first thing to ask is: what kind of data could be stolen?

The computers at hospitals often store personal information about the patients, including their Social Security numbers, dates of birth, addresses, relationships within the family, and emergency contact information.  This data can easily be used for blackmailing. On top of that, many hackers do not hesitate to assume the identity of the person whose data has been stolen, thereby engaging in insurance fraud and other types of fraudulent behavior. It’s also not uncommon for hospital PCs to also contain credit card information of the patients. This information has value to the hacker, as it can be used to make purchases online and in certain cases, is re-sold.

Devices That May Be Targeted

The list of devices certainly does not end with computers, however. There are also ventilators, CT and MRI scanners, infusion pumps and other types of medical equipment that can be accessed externally and controlled from a far distance.  This is because most, if not all of these devices, are connected to the Internet. They also tend to be inter-connected so once one of them is infiltrated, the others are usually affected as well.

Consider an infusion pump as an example. These can be found in virtually every hospital room, attached to a stand right next to the patient’s bed. What’s scary is that these pumps are usually controllable from a distant location. A capable hacker could find a way to push these buttons without a remote control and pour an overdose of a drug into the patient’s body, which could prove to be fatal. Even a slightly higher dose can be lethal in some cases.

Hackers use various tactics to get into the system. They can take advantage of email phishing and send deceptive emails to the staff of the hospital, making them believe the email is coming from an acquaintance, a colleague, or a friend. These emails often contain malware, which once installed, gives a hacker to the device. In many cases, once one device is infected with malware, a hacker can then infect other devices as well, thus gaining full control of the networked medical device system.

How to Protect Yourself

Fortunately, since there have been many attacks on hospitals in the past, hospitals can now learn from how these events took place in order to be able to anticipate such an attack and take measures to prevent it from happening. It is advisable to use up-to-date antivirus software on the computers used within the hospital and perform regular scans to decrease the likeliness of having some sort of malware on the computers. Often times, the malware is kept hidden from you and, just like viruses that attack living cells, may remain dormant for many months until a hacker realizes your computer is infected and exploits it.

If a member of the hospital staff finds out one of the devices is under a cyberattack, one thing to consider is to disconnect all of the devices from the internet. As the saying goes, anything that is connected to the internet can be hacked in one way or another. Until recently, medical devices, such as infusion pumps, were not online and so hospitals still need to get accustomed to the idea that their equipment could be attacked. Many of them simply do not consider this to be an option due to a lack of imagination. They do not see why a hacker would be motivated to choose a hospital as the target. However, there is a motivation behind such actions, as the hacker is trying to get the patients’ bank account information and other pieces of highly confidential data. Therefore, it is a bad idea to under-estimate this menace.

One thing a hospital can do to be prepared is to use medical devices created with security as the primary goal. A tablet with an added layer of ID verification can be the way to go. Such a tablet may include a fingerprint reader, so that only authorized personnel may access the data on the tablet. Furthermore, it can feature a smart card reader to allow only people with the card to access the device.

Conclusion

Cybersecurity in hospitals is a growing concern not only in health care but in defense and other areas, too. As an example, a metallurgical furnace located in Germany was cyberattacked and the iron contained in the furnace was cooled and solidified in the process. The incentive for hackers is mostly financial, but sometimes they pick an institution just because they want to do harm, just like in the case of the furnace. The most effective ways to tackle this problem and prevent security breaches within your organization are to:

  • Use modern, secured devices
  • Continuously stress the importance of security to your employees
Reducing Cybersecurity Threats with Biometric and Smart Card Readers

Reducing Cybersecurity Threats with Biometric and Smart Card Readers

Health organizations have dedicated millions toward implementing security tools to thwart cybersecurity threats. Unfortunately, these efforts have been challenged, as firewalls, prevention systems, intrusion detection and email security have proven that executives and employees are among the biggest threats. To prevent this threat to cybersecurity, healthcare providers are urged to implement strong and effective authentication measures to control who access what within a healthcare facility. As a countermeasure to cybersecurity threats by employees and executives, biometric and Smart card readers have proven effective.

Biometric Readers

With the implementation of electronic health records, there has been positive feedbacks regarding the effectiveness of healthcare organizations and quality patient care. As more hospitals and medical centres migrate to these electronic systems, there are increasing concerns about data integrity management, prevention of information from unauthorised access and corruption.

As these electronic health record systems proliferate, they become increasingly vulnerable, susceptible to cybersecurity threats. Preventing corruption within the system is a life and death situation; hence, these healthcare organizations should proceed with care. This ensures that the appropriate care is given to the right patient, and medical records are current and connected across the network.

To address this issue, healthcare organizations need to integrate biometric readers into their systems. This reinforces the security of medical records without deferring workflow. Implementing biometric readers within your healthcare system can be used for the following security purposes:

  • Absolute privacy of patient information
  • User authentication
  • Secure storage and retrieval of data
  • PKI (Public Key Infrastructure) Management

Through a biometric system, operational efficiencies prevail, as a patient’s identification is tied to their appropriate treatments and medical records. In addition, this system has achieved what many medical agencies pined for – a universal patient ID number – which possesses the capacity to connect patients to a unique number linked to biometrics.  Overall, medical computers with biometric readers provide tremendous results in accuracy, specifically for identifying staff and patients.

CAC /Smart Card Readers

The healthcare industry is awash with smart cards. Smart cards are similar in appearance to credit cards, but the security within the card is just so much more. With a microprocessor embedded within the card, the host computer and smart card reader actually communicates with the microprocessor. The processor then executes or enforces whatever command is given when used. When complemented by a smart card reader, this can be used as a powerful means of authentication. When implemented within hospitals, smart cards strengthen the hospital’s security, providing so many benefits. Among the many benefits include:

  • Irrefutable patient identification across the board, including organization and geographic boundaries.
  • Counters the provision of providing duplicated ID cards
  • Capacity to locate where a patient’s ID has been used.
  • Provides a secure means by which patient health information can be accessed
  • Provides confirmation of a patient’s medical insurance.
  • Provides risk mitigation in countering identity theft, fraud and even breaches to data.
  • Safely stores identifiers for patients and deactivation for lost identifiers.

How Hospitals Benefit when Using Biometrics and CAC Cards with an EMR/EHR System

An EMR system is very important. Securing medical records stored on these systems is tantamount to the continued operation of any healthcare organization. A compromise to this system could spell immense trouble. To secure EMR systems from cybersecurity threats, biometrics and CAC cards have done wonders for healthcare providers in various ways.

  • Users of EMR (nurses, physicians, pharmacists etc.) enjoy an easy but powerful login process, without the need to remember difficult passwords.
  • Quick and easy access to their patient’s health records. This improves the collective process of gathering information, as it does not need to be collected from the patient’s memory.
  • Information is on hand in cases of emergencies to ensure successful results.
  • Physicians do not need to distribute a patient’s medical history to another as records are integrated. Importantly, the smart cards are used with an EMR system to prevent or minimize the risk of a patient’s confidential information being leaked or a stolen identity.
  • Smart cards reduce the risk of excess medical tests and hospital admissions that aren’t necessary.

These procedures are all important for healthcare providers. Once biometric readers and smart cards are implemented in conjunction with medical PCs and tablets, cybersecurity threats will be significantly reduced, as executives and employees would have received education on security measures and effective authentication measures in various healthcare facilities.