Ransomware, other cyber threats mount as medtech industry tries to adapt

Hospital Administration

Dive Brief:

  • Cyber threats to the medtech industry, including ransomware and other malware, are growing in sophistication, potentially putting patient safety at risk, according to Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health.
  • “It’s not just a kid in their basement causing trouble. These are actually financially motivated intruders who are going after the low-hanging fruit,” Fu told the Food & Drug Law Institute annual conference last week. “Healthcare happens to be fairly low-hanging fruit when it comes to cybersecurity.”
  • Sophisticated cybercriminals are targeting medical devices and as manufacturers increasingly use and depend on the cloud for real-time functions, Fu said, the industry will likely see patient safety issues arise. “Everything is hackable,” the FDA device cyber chief declared, noting that ransomware in particular can render a device useless.

Dive Insight:

Cyber attacks on healthcare organizations, including ransomware and botnets, have jumped during the COVID-19 pandemic. Hospitals and other facilities have been the victims of cybercriminals probing their networks for vulnerabilities to exploit. Medical devices, in particular, serve as targets for hackers who use them as entry points into hospital networks.

Fu noted that medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.

“If the device is not available to deliver patient care, that seems like a safety issue,” Fu said. “Let’s say there’s a potential adulteration of a product because of a cybersecurity incident. Maybe it’s ransomware that got in and encrypted the hard drive of a medical device. A real question is how do you know that the device still has integrity?”

As an example, the FDA’s device cyber chief posed a hypothetical in which a drug-eluting device could be compromised by ransomware so that an incorrect medication dosage is administered. “That’s an integrity question,” Fu said. “Then, there’s the availability question … ransomware comes at the heart of availability. It simply renders the device useless.”

ECRI in February flagged third-party operating systems and other software incorporated into medical devices, especially components no longer supported by the vendor, as major cybersecurity risks. The watchdog group also warned that the rapid adoption during the pandemic of both telehealth and remote operation of devices designed for bedside use increased the risk of cybersecurity breaches and tampering.

FDA has been very clear that cybersecurity must be a part of medical device manufacturers’ quality management systems. However, Fu warned that while some device makers are doing fairly well in responding to the agency’s cyber requirements, others seem to be not aware of what is expected of them.

“There is published, finalized guidance on both premarket and postmarket expectations. And, it’s a fact that FDA has denied premarket clearance based solely on cybersecurity concerns for medical devices,” Fu said. “It’s not optional. It’s part of safety.”

Fu said one area that the medtech industry can improve is threat modeling, which he called essential for a successful premarket review. A threat model lays out what hackers might be able to do to target a medical device and what manufacturers intend to protect with the assumption that the network is insecure.

“Networks are inherently hostile, even VPN networks,” Fu told the conference. “They were never designed to provide end-to-end security. So, the device still needs to have requirements for a security threat model assuming the network is effectively under control of the adversary.”

Device makers can’t make a cybersecurity claim if they don’t first start with a “sound” threat model, noted Fu, who said he’d like to see more medtechs do a better job in that area. He emphasized that a premarket submission with a threat model that uses “an obscure programming language” or a contention that a manufacturer “has never been attacked” is “not science, not reputable.”

Attorney Vernessa Pollard, chair of law firm McDermott Will & Emery’s FDA practice, told the FDLI conference that while larger global medtechs are addressing these cybersecurity issues and making it a priority, smaller companies are “still behind in terms of having a comprehensive approach” to building it into their medical device quality and design processes.

Nonetheless, Zach Rothstein, AdvaMed’s vice president for technology and regulatory affairs, argued the industry has made significant progress in recent years. Rothstein noted that when he joined AdvaMed six years ago, ”cybersecurity was not a front and center kind of issue within most of the member companies,” but today it is a high priority for the 500-plus medtechs that the lobbying group represents.

Still, Rothstein said challenges remain, including the problem of widely used legacy medical devices that may have built-in cyber vulnerabilities. He said a complicating factor is that third party operating systems and other software used in these devices are no longer supported by the vendors.

“A recent example was Microsoft discontinued security patches and updates for XP,” added Rothstein. “We’re all like Windows XP that’s 20 years old. But some of these large pieces of medical equipment can last that long.”