FDA Warnings About ‘Cyberattacks’ Give CEs Leverage to Demand Better Security

Jul 11

From: AISHealth

Hospitals and other users of “active” medical devices should be pushing vendors and manufacturers to beef up security in the wake of an unusual June 13 warning from the Food and Drug Administration (FDA) that they are vulnerable to “cyberattack.” And while it is cold comfort to covered entities (CEs) now on the hook in the event of breaches and other HIPAA lapses, FDA also issued proposed guidance that is expected to result in enhanced protections for medical devices built and sold in the future.

Covered entities are obligated to safeguard protected health information (PHI) wherever it lies in their devices, especially active ones linked to networks, and in their health care information systems. CEs face investigations by the Office for Civil Rights (OCR) for missteps and possible sanctions — even if the source is devices now acknowledged to be vulnerable.

Mac McMillan, chair of the privacy and security policy taskforce of the Health Information Management Systems Society, tells RPP he hopes FDA’s June 13 “Safety Communication: Cybersecurity for Medical Devices and Hospital Networks” and proposed guidance issued the same day prove to be a “warning shot” that is followed up with real action to address the device vulnerabilities.

“Health care providers have complained for ages about the security of their medical devices. They have complained to the FDA, to the device manufacturers, about the fact that they have failed to develop [security] patches…a whole litany of issues, which are all mentioned in the warning and in the proposed guidance,” he says.

McMillan says the proposed guidance and warning are overdue, yet short on practicality for hospitals and others that use devices. He says CEs must continue to push their device vendors — and the government — to ensure the necessary security measures, along with ongoing updates and enhancements, are mandatory and enforceable. This may require the creation of some sort of certification like that required of electronic health records, he says.

No Longer the Stuff of Fiction

The warning by FDA was unusual in that it was not just addressed to device manufacturers, over which it has jurisdiction, but also to “hospitals, medical device user facilities, health care IT and procurement staff, and biomedical engineers.”

The issue addressed is “cybersecurity for medical devices and hospital networks,” FDA says in the warning. Hospitals and other providers are probably more familiar with keeping their machines, such as copiers and diagnostic and scanning equipment, compliant by erasing their memories (RPP 5/13, p. 6). FDA’s safety communication, however, goes further.

The agency says that it has “become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices and security networks.” But, it adds, “FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.”

But for many years medical device security experts have been warning about the vulnerability of devices to hacking and other intentional disruptions; security conferences in 2011 and last year featured demonstrations of how insulin pumps and pacemakers could be reprogrammed to deliver a lethal dose of insulin and a fatal shock. (Viewers of the Showtime fictional drama “Homeland” witnessed the death of the vice president in just such an attack on his pacemaker that experts said was fairly accurate from a technical standpoint.)

The demonstrations led to a report by the Government Accountability Office in August 2012 that recommended FDA take some of the steps it is now taking to shore up device security.

Now the agency is “recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks,” the agency says in the warning.

FDA Lays Out the Threats

Here are some of the things the FDA knows can go wrong:

  • “Network-connected/configured medical devices infected or disabled by malware;
  • “The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
  • “Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel).
  • “Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
  • “Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.”

But FDA’s advice to device manufacturers and hospitals to deal with the risk of these incidents isn’t complicated or detailed, and mostly sounds a bit like “HIPAA security light.”

The agency “is recommending that you take steps to evaluate your network security and protect your hospital system. In evaluating network security, hospitals and health care facilities should consider:

  • “Restricting unauthorized access to the network and networked medical devices.
  • “Making certain appropriate antivirus software and firewalls are up-to-date.
  • “Monitoring network activity for unauthorized use.
  • “Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • “Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device.” In determining who the manufacturer is or how to contact the firm, FDA recommends seeking assistance from FDA or the Industrial Control Systems Cyber Emergency Response Team (https://ics-cert.us-cert.gov).
  • “Developing and evaluating strategies to maintain critical functionality during adverse conditions.”
Security Patches Are a Major Concern

Of the warning and recommendations, “It is nice to see that they finally recognized, officially, that there is a problem,” McMillan says. But that is where his praise ends. The suggestions are nearly “pointless,” particularly when it comes to CEs being able to address security vulnerabilities on their own.

“In order to make them meaningful, somebody is going to have to tell the medical device industry to pay attention to those recommendations,” McMillan says.

“Providers don’t have the latitude to make those changes,” he adds. “They are all trying to comply but their hands are tied.”

CEs and other providers have to seek permission from device manufacturers to upgrade security features or add applications that will, if they aren’t already part of the device. Most often, he says, the manufacturer says “no.” “This is the loop that providers find themselves in,” McMillan says of covered entities.

But even FDA has said this is mostly nonsense. Several years ago, John Murray, Jr., an FDA compliance expert, noted in a presentation that he often gets questions from device users who say “they’ve called the device manufacturer and the device manufacturer said, ‘I can’t do anything, I have to get FDA approval.’ So we went back and examined this question and the answer is that pre-market review of a software patch or a cybersecurity update usually does not require [an] FDA pre-market approval” (see http://tinyurl.com/neh3srw).

McMillan says that, on the day he spoke to RPP, he had received a call from an official with an academic medical center (AMC) that embodied a perfect example of the problem.

The AMC was pondering the purchase of an application for a device that was “developed on XP,” a Microsoft product “coming close to the end of its life. By the end of this year it will no longer be supported by Microsoft.”

“Not only was [the application] built on a soon-to-be obsolete operating system, but on the very first version of the operating system. It had not been patched or [had] any of the service packs applied to it,” he relates with frustration and dismay. The problem, McMillan says, “is so widespread it’s not like you have a choice between those who are doing it wrong and those who are doing it right.” Manufacturers, he says, sell the products and manage products in a manner that is “most convenient for them.”

What Steps Can Covered Entities Take?

McMillan shared with RPP the following strategies that CEs can take, although he stresses that the ultimate burden to address these risks belongs to manufacturers.

  • When CEs conduct their risk assessment, these vulnerabilities should be “documented,” McMillan says, with that information provided to the manufacturers — and, in the unfortunate event of a breach — to OCR.
  • CEs could forward both the new FDA warning and the proposed guidance to their vendors, as McMillan says some of his clients have done, and insist “You need to fix this for us.”
  • Research the products. “In some limited cases there are options and vendors who do it correctly,” McMillan says. Buy from them.

Worth noting: Device manufacturers are business associates and, as such, must comply with HIPAA just like CEs. Yet the requirements apply only to how they handle the PHI that they use on behalf of the CE, McMillan says, and not to their devices that end up in the hands of CEs.

So where is OCR in all this? McMillan says the agency has been putting “pressure” on FDA and the Office of the National Coordinator for Health Information Technology (ONC) about this issue. However, OCR spokeswoman Rachel Seeger would say only that OCR had no “substantive” or “direct role in FDA’s guidance or warning.”

McMillan says there is talk of creating some kind of system for assessing medical device security features akin to HHS’s meaningful use certifications that apply to electronic health records. Only those that meet certain criteria, which include certain access controls, can be purchased with federal funds (RPP 9/12, p. 4). CMS and ONC maintain a list of certified EHRs (see http://tinyurl.com/kxv34d9).

If such a process were instituted, CEs could “select systems they know are on a current operating system, can run anti-virus software” and have necessary security enhancements, McMillan says. “That just doesn’t exist right now.”

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *