One of the authors of this piece uses a medical device that is wirelessly networked to the device’s vendor. The author recently received a text message from the vendor, sending “congratulations” for using the device for an entire week. The author replied with a suggestion that the vendor should keep its congratulations to itself and mind its own business (although worded more colorfully).
This got us thinking about the Internet of Medical Things (IoMT) and the cybersecurity challenges raised. We all recognize that the ability to remotely adjust or reprogram a device, or to collect usage data for analyzation, can provide many benefits:
- On an individual level, a user may receive information about his or her environment or condition compared to norms, which ideally results in a combination of education, engagement and empowerment that motivates healthful behavior. Sharing the information through networked systems with, for example, a user’s physician or hospital can be extremely beneficial to the patient by ensuring compliance with treatment protocols, alerting patients and health care providers to potentially dangerous symptoms, and the like.
- On a commercial level, the collected information allows suppliers to form a powerful bond with consumers, to focus their research and development dollars, and to develop new products and target marketing of those products.
- For the general public, evaluation of the information informs public policy and contributes to developments in epidemiology and new treatments and technologies using individualized or precision medicine and other innovative approaches.
In December of 2016 the Food & Drug Administration released non-binding guidance on “Postmarket Management of Cybersecurity in Medical Devices.” In its Guidance, the FDA observes that the “exploitation of vulnerabilities (of devices to cybersecurity threats) may represent a risk to health and typically requires continual maintenance throughout the product lifecycle to assure an adequate degree of protection against such exploits.” To respond to the threat, the FDA’s approach balances the likelihood of an attack, the impact of the exploitation on a device’s safety and performance and the severity of patient harm if exploited.
Medical technology, however, has not always kept up with the law and risks. Many sensors and other devices used in IoMT are vulnerable to cyberattacks with resulting harm to patients. Complicating the scene, the FDA’s Guidance applies to medical devices that are “already on the market or in use.” Risks and challenges are outlined in “Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem,” and include the following:
- If the device was placed into the market years ago, the embedded software may not be adequate to address contemporary threats of cyberattacks.
- User manuals may provide technical information about the device and its communication systems making it easy for hackers to penetrate the system.
- Encryption, firewalls, intrusion detection systems and other similar protections may slow the operation of low power devices or reduce battery life, causing practical limitation and leading manufacturers to trade operability for cybersecurity.
- If the device is networked to a health care system, hackers may gain access to the entire universe of electronic health records maintained by that system.
The FDA encourages all stakeholders – manufacturers, information technology developers and vendors, hospital and health care systems – to work together with an eye to the past, present and future. The goal is to reduce vulnerability so there is a “controlled risk of patient harm,” in the sense that after mitigation any residual risk is acceptable.
The FDA describes examples of “controlled risk,” such as the discovery of malware in a gas blood analyzer that does not result in manipulation of data stored and flowing through the device and does not compromise the safety and performance of the device; or public disclosure of vulnerability that could allow unauthorized users to access a chemistry analyzer but not to manipulate data. In each case, the manufacturer can control risk by communicating to users about the risk and how to secure the device with a software update and patch.
Examples of “uncontrolled risk” include the malfunction of a device because of exploitation of a vulnerability in its software, or the possibility that an unauthorized user can reprogram a device (e.g., pacemaker or implantable defibrillator) in ways that could lead to serious injury or death. In these situations, the FDA’s stance is that without remediation, products exhibiting “uncontrolled risk” violate the Food, Drug & Cosmetics Act and are subject to enforcement and other action.
Many efforts are underway to address these risks, including the work of the International Organization for Standardization and International Electrotechnical Commission. It is clear to us that the market participants who get out in front of these challenges will enjoy a commercial and competitive advantage. As of this writing, however, the FDA has not found a workable solution to the problem of curmudgeonly lawyers.
Matthew I. Hafter is a partner focusing on technology transactions, development and licensing in a variety of industries.
Diane Romza-Kutz is a partner whose practice focuses on medical devices and life sciences.