A recent story which ran on CBS News entitled “How medical devices like pacemakers and insulin pumps can be hacked” highlighted deficient plans and processes by the US Food and Drug Administration for addressing medical device cybersecurity compromises. The report issued by the Inspector General has been disputed by the FDA which says that it has worked proactively on the issue with security researchers and ethical hackers to identity and fix many of the problems.
This may be the case, but the fact remains that the industry as a whole has been largely in a state of denial over the breadth of depth of cybersecurity vulnerabilities in medical devices and has been very slow to inventory and remediate risks – even when researchers have shown evidence that many security vulnerabilities pose a significant patient safety concern.
The FDAs close working relationship with manufacturers and its preference for constructive ‘guidance’ rather than ‘enforcement’ has been criticized many times before. Despite a growing body of evidence of medical devices being hacked in research lab environments and live on stage at security conferences around the world dating back nearly a decade, it is only within the last couple of years that new devices were forced to undergo any sort of cybersecurity risk assessment prior to being approved for use on patients. Some say the FDA acted too slowly to bring about change and that nobody yet has really dealt with the legacy device problem. Medical devices have long expected life-cycles and more expensive systems like X-ray, CT and PET scanners are often depreciated over 15+ years, meaning that near-term replacement of insecure legacy devices is not a feasible option.
Whatever the case, the fact remains that most manufacturers have not taken any sort of proactive role to risk assess the security of their legacy devices in use today, even when informed of security vulnerabilities long before public disclosure. The onus for risk assessment of these devices currently seems to be placed squarely on the shoulders of providers, who in turn are ill-equipped to assess or remediate problems. Solving this problem will take a strong and concerted effort on all sides with robust leadership and oversight provided by the FDA.
The issues highlighted in the CBS report is remarkably similar to another case that I wrote about in 2016 concerning St Jude Medical, (now owned by Abbott Labs). Despite being informed of major patient safety risks to its implanted Cardiac Rhythm Devices (pacemakers), St Jude Medical chose not to do anything about these risks till Muddy Waters Capital made an example of the company by trading on futures while engaging a security firm to hack and disclose significant weaknesses in the St Jude devices, thus gaining from a downward adjustment of the St Jude stock price.
The St Jude disclosure caused the first ever FDA intervention in medical device security after mass public concern. The fact however remains that security vulnerabilities in medical devices are likely not limited to only a few manufacturers, but common across the thousands of vendors and hundreds of thousands of medical devices that are in circulation globally. Many, of not most of these are responsible for keeping patients alive. The trouble is that we don’t really know the true extent of vulnerabilities and the risks posed to patients by these potentially insecure devices.
Manufacturers do not have programs to risk-assess and penetration test their legacy medical devices and only the most recently approved devices were tested at all from a cyber risk perspective – all other testing being primarily functional in nature, in order to obtain FDA approval.
Hospitals and other healthcare delivery organizations that use or surgically implant medical devices in people’s chests rarely if ever test medical devices either. Even devices that remain in hospitals like network attached morphine and insulin pumps, X-Ray and CT scanners are rarely tested for their cybersecurity vulnerabilities, let alone devices that leave with patients and may not be seen again.
Without testing and without performing a thorough and bone-fide risk assessment to NIST SP800-30 standards in line with HIPAA and OCR requirements, we will probably never really know just how big a problem this is across the entire industry.
Until such times as a full forensic examination of implanted medical device takes place, rather than simply being burned or buried with the patient, we will probably never know the true number of deaths caused by device failure, how these devices failed exactly and whether a cyber-attack against the device caused its failure and the premature death of the patient.
The United States does a great job of evaluating and under-writing all kinds of risks – everything from crop yields, to natural disasters, to the likelihood of flood, fire or theft, yet as a country we really are rolling the dice when it comes to medical risk, and particularly medical device risk. In short, we as a nation, are gambling on the security of the medical devices that keep many of our citizens alive each day.