Connected medical technology is rapidly transforming patient treatment.
Pacemakers, insulin pumps, wearable devices that track patient activity levels and pills containing ingestible sensors that track medication adherence are among the innovations that allow physicians to monitor patients remotely, promising more cost-effective care and improved outcomes.
But connected medical devices also raise concerns about patient privacy and cybersecurity. Connected devices gather vast amounts of patient data and create more points for connection, raising the risk of a security breach that can involve not just the data but also control of the device itself.
Companies manufacturing such devices should understand regulatory and litigation risks associated with them and regularly take steps to minimize those risks.
Meanwhile, providers making use of the technology for patient care should also be aware of the dangers and step in where possible to ensure patient privacy and device security. In the wake of a major cyber incident, a healthcare organization may face government investigations, both domestically (by the U.S. Food and Drug Administration and other federal and state regulatory agencies, such as the Federal Trade Commission and state attorneys general) and internationally (by foreign data privacy and consumer safety regulators). Moreover, breaches can draw unwanted media attention, customer demands and litigation — all of which require a careful and rapid response. Counsel must be prepared to simultaneously coordinate responses on all fronts.
So, what can healthcare organizations do to reduce the risk of a cyber incident? There are three strategies that can help keep devices safe.
1. Design Medical Devices with Cybersecurity in Mind
The first step to a secure device landscape is to design connected products to be secure from the outset. This means product design teams developing connected products should include privacy and cybersecurity experts in the process. Design teams should also be in regular communication with litigators to stay informed of developing areas of legal risk.
The FDA published guidance for the Postmarket Management of Cybersecurity in Medical Devices in December 2016. More recently, the agency published draft guidance on the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices in October 2018, which offers detailed recommendations for the design of connected medical devices. According to the guidance:
- Those developing connected medical devices should consider the use of authentication, authorization and encryption to prevent unauthorized commands being sent to any safety-critical system and to prevent unauthorized access to sensitive information.
- Products should be designed with the ability to detect and respond to dynamic cybersecurity risks, including the deployment of routine security updates and patches.
- Designers should scrutinize labeling to ensure it effectively informs end users of key security information.
Additionally, effective privacy notice and consent agreements are of the utmost importance. Choice of law and arbitration clauses embedded in these documents can significantly shape the course of civil litigation that follows a cyber incident.
2. Closely Monitor Medical Devices for Vulnerabilities
Once a connected product is on the market, healthcare organizations should closely monitor, identify and address cybersecurity vulnerabilities. Internet-connected products are notoriously complex. Providers should build a quality review team for such products, bringing together members with diverse expertise who, together, will have a full understanding of the potential risks posed by the product.
The FDA’s post-market guidance offers a detailed description of key components of a program to monitor for cybersecurity vulnerabilities. It advises organizations to develop:
- Methods to identify, characterize and assess cybersecurity vulnerabilities
- Methods to analyze, detect and assess threat sources
Monitoring should include a number of sources of information to identify possible cybersecurity vulnerabilities. These include information from independent security researchers, in-house testing departments, suppliers of software and hardware, and complaints from patients, physicians or healthcare facilities. With regard to software, an organization should implement practices to monitor all third-party software components for new vulnerabilities and ensure that updates and patches are effective.
Further, a quality review team should have a process in place to evaluate the level of risk presented by an identified vulnerability. The process should also address ways to control those risks and monitor the effectiveness of the controls.
3. Develop a Robust Cyber Risk Management Plan
Another crucial aspect of medical device security is the need for robust organizational — rather than product-specific — cyber risk management planning. An organization’s risk management strategy should include:
- Periodic enterprise wide risk assessments of connected devices
- Exercises to assess cyber incident response
- Cybersecurity education and training
- Periodic reviews of insurance coverage for cyber incidents and related claims
- Identification of external forensic experts or crisis managers before an incident
- Periodic review of internal corporate policies and governance mechanisms that will shape the flow of information to the board in the event of a cyber incident
Ultimately, the promise of connected medical devices goes hand in hand with increased cyber risk. By tapping the resources available to providers and developers, as well as applying lessons learned from other industries, healthcare organizations can work to protect patients and staff from the impact of a medical device security breach.