In late August 2017, the US Food and Drug Administration recalled 465,000 Abbott Laboratories pacemakers due to cyber security vulnerabilities. Although this was the first time that the FDA had recalled a medical device because of cyber concerns, they have been alive to the significant risk that a cyber attack on medical devices could pose to individuals' health for a number of years. Given that 70 per cent of devices forming part of the Internet of Things have security vulnerabilities and 67 per cent of medical device manufacturers expect an attack to occur on one of the devices produced or used by their company in the next 12 months1, device manufacturers and healthcare providers should be taking proactive steps to properly design and build devices to avoid, and should be well equipped to deal with, the potentially life-threatening consequences of such an attack.
The Internet of Things (IoT) holds great promise for business collaboration and innovation. But as it grows, so too does the security risk. With recent predictions by Cisco, Ericsson and Gartner estimating the growth of networked devices to reach 20 to 26 billion globally by 20202, we can expect:
- the mass of digitised data to dramatically increase; and
- a greater risk that this data is subject to unauthorised access or misuse.3
Networked medical devices have the capacity to transform health care, but they may also expose patients and health care providers to safety and cyber security risks – the key ones being hacking attempts, malware infection, and increased vulnerability unauthorised access.4 Like many other IoT devices today, most medical devices 'were never designed with security in mind'.5
Cisco has reported that there are two key types of medical devices which are at risk of cyber attack:
- implantable medical devices which are implanted in the human body, for example, pacemakers or insulin pumps which could be accessible via wireless technologies; and
- network-attached medical devices which include diagnostic imaging systems, infusion pumps, ventilators, and other patient monitors.6
As you can imagine, an attack on either type of device could have serious consequences for an individual's health, or in a worst case scenario, threaten life.
In August 2017, the US Food and Drug Administration (the FDA) recalled 465,000 Abbott Laboratories pacemakers due to cyber security vulnerabilities. The vulnerability was in the pacemaker's firmware and meant that if exploited, hackers could potentially modify the device such that it administered incorrect pacing or its battery depleted faster than usual. The FDA expressed concern that, if exploited, patients could be harmed. In response, the manufacturer of the pacemaker has released a firmware update so that any device attempting to interact with the pacemaker will require authorisation to do so.7
The Therapeutic Goods Administration (the TGA) has not required any action to address the issue in Australia yet stating it will 'determine what, if any, action is required in Australia and will take into account the conclusions from the FDA investigations'.8
Fortunately no patients have been affected by the issue to date but this reinforces that the IoT revolution is set to increase the potential for physical harm as a result of malfunctions or cyber attacks.
Although this is the first time we've seen the FDA recall a medical device due to cyber vulnerabilities, cyber risk in medical devices is not a new area for regulators:
- In 2014, the FDA issued guidance on cyber issues that manufacturers should consider when developing medical devices and making submissions to the FDA before the product goes to market (referred to as 'premarket submissions').9
- In 2015, the FDA issued an alert in relation to infusion pumps (which automatically administer anaesthetic or other therapeutic medication) that contained a software vulnerability which meant that the device could be accessed remotely to modify the amount of medication it administered.10
- In 2016, the FDA released guidance on managing cyber security in medical devices after the device is in the market. The guidance emphasised that manufacturers should monitor cybersecurity vulnerabilities throughout the product lifecycle and that they should continually provide updates and patches to address any issues.11
Compliance with the Therapeutic Goods Act 1989
In Australia, the TGA has also issued warnings about the vulnerabilities in medical devices. In its March 2016 Medical Devices Safety Update, the TGA recommended that medical device sponsors and asset owners perform IT risk assessments 'by examining the specific clinical use of potentially affected products in the host environment'.12
Under the Therapeutic Goods Act 1989 (Cth) (the TG Act), medical devices must comply with a set of 'essential principles', many of which are directed at ensuring the safety of the device. Although none are specifically directed at cybersecurity, the first two principles are sufficiently broad to enable the TGA to require sponsors to address cybersecurity issues. While the TGA has not issued any clear guidance on the issue, a failure to adequately address cyber risk in a device that is supplied in Australia could breach a sponsor's obligations under the TG Act.
Compliance with the Privacy Act 1988
Aside from the potential safety implications of a medical device malfunctioning under cyber attack, manufacturers and users should also be aware of the risk to any health information collected or held by the devices.
The collection, holding, use and disclosure of health information in Australia is regulated by a complex web of different Federal and State laws including the Privacy Act 1988 (Cth).
- If a medical device does collect information, depending on where and how it is stored, manufacturers or healthcare providers may be subject to requirements to take reasonable steps to protect that information from unauthorised access, modification or disclosure and misuse, interference and loss (see, for example, Australian Privacy Principle 11).
- In the event of a data breach caused by third party access to a remote medical device, failure to appropriately consider and take steps to mitigate vulnerabilities in a medical device might be considered a breach of those obligations.
In addition, under the new notifiable data breaches scheme (the NDB Scheme) which will take effect from February 2018, notification to the affected individuals may be required (for more on the new NDB Scheme see our September issue of Pulse: Cyber Security.)
Key considerations when handling health information collected by a medical device
Because of the way in which the various State and Federal laws apply, it is important to get good advice before handling health information. Questions you should be thinking about are:
- Will the medical device be collecting information and if so, for what purpose?
- Do you need to obtain individual consent to collect, use or disclose health information that the device collects and if so, how will you obtain that consent?
- Who will have access to the information collected by the medical device? For example, the manufacturer, the patient or the health care provider?
- Where will the collected information be stored? For example, on the device or will it be transferred wirelessly to another location?
- Do your terms and conditions adequately address data collection and security issues?
- The growth of IoT devices in the medical world, and a failure to give appropriate consideration to their potential vulnerability to cyber attack could have serious implications for patient health and in some circumstances, could be life threatening.
- Manufacturers should consider cyber risks at the build and design stage of developing medical devices. Consider the TGA's March 2016 Medical Devices Safety Update and FDA guidance published in October 2014 on premarket submissions.
- Manufacturers and healthcare providers should get advice on and consider what information, if any, devices are collecting and how that information is stored. In particular, have you taken reasonable steps to ensure data security?
- Responsibility for cyber vulnerabilities may not end once the device is in use. Although we haven't seen any guidance to this effect in Australia, consider the FDA guidance published in December 2016 on postmarket management of cybersecurity in medical devices.,.
- Synopsys, Medical Device Security: An industry under attack and unprepared to defend.
- McKinsey Global Institute, The Internet of Things: Mapping the Value Beyond the Hype, June 2015.
- HP, HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack, July 29 2014.
- Deloitte, Networked medical device cybersecurity and patient safety.
- Cisco, 'FDA announces first-ever recall of a medical device due to cyber risk', 30 August 2017.
- Deloitte, Networked medical device cybersecurity and patient safety; Cisco, 'Understanding Medical Device Security', 8 September 2017.
- Food and Drug Administration, 'Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication' 29 August 2017,
- Healthcare IT News, 'Risk of hacking leads to unprecedented pacemaker recall', Lynne Minion, 01 Sep 2017.
- Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, October 2014.
- Food and Drug Administration, 'LifeCare PCA3 and PCA5 Infusion Pump Systems by Hospira: FDA Safety Communication – Security Vulnerabilities' May 2015.
- Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, December 2016.
- Therapeutic Goods Administration, Medical Devices Safety Update, Volume 4, Number 2, March 2016.