FDA: Risk of Wearables Hacking Exists
Medical Device Cybersecurity: Maybe Dick Cheney Was Not So Paranoid After All
by Steven Boranian
Dick Cheney famously disclosed a few years ago that he had the wireless function of his pacemaker disconnected while he was Vice President because he was concerned that hackers might fiddle with the device remotely and do him harm. We at the Drug and Device Law Blog can’t help but wonder whether the Veep placed himself ahead of or behind the risk-benefit curve. Sure, he mitigated the risk that some malicious and very clever hacker would successfully target him. But he also disabled an important feature of a device that was intended to protect and extend his life.
Was he better or worse off? We don’t know. We do know that when we first learned about wirelessly connected implanted medical devices, we were amazed by technology that appeared straight out of Star Trek. You know, like when Bones would treat some befallen Enterprise crew member in a color-coded T-shirt by waving a handheld device over his or her clothed skin. That’s how we pictured connected devices like cardiac defibrillators—capable of transmitting telemetry, issuing warnings, accepting software upgrades, taking commands, and otherwise treating human frailty—remotely and without the need for any invasive procedure.
The potential benefits to health are tremendous, and wireless connectivity is now common in numerous types of medical devices, implanted and not. But what about the potential risks? We are told that Cheney’s paranoia became the basis for an episode of Homeland, a show we have never seen, but that apparently involved a fictional Vice President harmed by pacemaker hackers with malice aforethought. (Although we have never watched Homeland, we have seen every episode of Veep, which stars Julia Louis Dreyfus as a different fictional Vice President (and later President) and is wickedly funny, but so profane that our mother-in-law elected to leave the room rather than watch it. But we digress).
So is medical device hacking a genuine risk or it is the stuff of television melodrama? You will be comforted to know that no one has reported an injury or death attributed medical device hacking. But that does not mean that we should dismiss the risk out of hand. In today’s world of the “Internet of Things,” where seemingly everything is networked, there have been news reports of hacking into things like automobiles, home security systems, even airplanes.
There is a risk that medical devices could be next. We do not know the scope or severity of the risk, and we are not Chicken Little. But a consensus has formed that there is a potential vulnerability here that needs to be addressed. On June 13, 2013, the FDA issued a Safety Communication entitled “Cybersecurity for Medical Devices and HospitalNetworks,” in which the agency recommended that “medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.” According to the Alert, the FDA had “become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices . . . .” When it came to describing the vulnerabilities, and especially the “incidents,” the FDA offered no particulars. It did, however, fire this shot across the bow:
For all device manufacturers: Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.
The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. . . .
Lest the FDA be misunderstood, it published a Draft Guidance the next day, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which became final on October 2, 2014. You can link to the Guidance on the FDA’s Website on cybersecurity here, and you can view the FDA’s Webinar on the topic here. The document’s guiding principle is that medical device security is a “shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices.” The key audience, however, is medical device manufacturers, whom the FDA expects to integrate cybersecurity into the device development process and to address the following elements: (1) identification of threats/vulnerabilities, (2) assessment of the potential impact on functionality and patients, (3) assessment of the likelihood of threat/vulnerability being exploited, (4) determination of the risk levels and mitigation strategies, and (5) assessment of residual risk and risk acceptance criteria.
These should sound familiar: They are similar to elements to consider in assessing any risk, cyber or otherwise, only it seems the FDA views cybersecurity threats as unique. The agency says flat out that electronically connected medical devices are “more vulnerable,” and the whole point of the Guidance is that that security functions should be described and justified in premarket submissions. We commend the Guidance to interested readers, and we also commend—because we helped write it − a useful “RiskMitigation Checklist for In-House Counsel” that was posted yesterday on Reed Smith’s website.
We also recommend taking a look at the FDA’s recent Safety Communication on vulnerabilities in a particular infusion pump system (here and here), which is the first Safety Communication regarding a specific cybersecurity vulnerability. The Communication deals with an infusion pump system that could be accessed remotely through a hospital’s network. It was preventive in nature, and neither the FDA nor the manufacturer was aware of any unauthorized access actually occurring. But still, this is not cable television, and we expect that connectivity to hospital networks is a medical device common feature.
So maybe Dick Cheney was not so paranoid after all. We still do not know whether the Veep actually mitigated the risk of harm by disconnecting his device—even the FDA says that people should “carefully consider the balance between cybersecurity safeguards and the usability of the device.” But he was prescient to identify the issue before it entered the public’s (and apparently the FDA’s) consciousness.
Image by iStockPhoto