Editor's note: This is the second in an ongoing series on the growing cybersecurity risks of medical devices
Medical device manufacturers and hospitals are both responsible for protecting devices from cybersecurity threats and working together to manage the risks to patient safety.
However, while there is recognition of shared cyber responsibility on both sides, device security continues to be a casualty of a hospital-medtech divide that often results in finger pointing between these two stakeholders and at times a lack of coordination. The effect is that patients' lives can be in danger from outdated and unprotected medical devices.
If cybersecurity risk is not effectively minimized or managed throughout the life of a device, it could potentially result in patient harm such as illness, injury or death as a result of delayed treatment or other impacts to device availability and functionality. The stakes are high as the FDA seeks to achieve more transparency when it comes to device vulnerabilities.
Nowhere is the blame game and division between hospitals and medtechs more prominent than when it comes to the challenge of defending older legacy medical devices against the growing threats of hacker attacks.
Hospitals contend that many legacy devices were not built with security in mind and as the end users, in the final analysis, they bear a much heavier burden for trying to secure them than medtechs do. The American Hospital Association wants to see the FDA mandate lifetime support of medical devices by manufacturers.
John Riggi, AHA's senior advisor for cybersecurity and risk, claims that the majority of medical devices used by hospitals are legacy devices that rely on operating systems such as Windows 7 that Microsoft no longer supports with security patches and updates.
Compounding the problem is that a health system can have tens of thousands of devices from hundreds of manufacturers connected to its network, creating an overwhelming cybersecurity management challenge for healthcare facilities already burdened with safeguarding their traditional IT assets.
According to cybersecurity firm Sensato, there is an average of 6.2 vulnerabilities per medical device, and the FDA has issued recalls for such critical devices as pacemakers and insulin pumps with known security issues, while more than 40% of medical devices are at the end-of-life stage, with no security patches or upgrades available.
Earlier this month, the Cybersecurity and Infrastructure Security Agency issued an alert about critical vulnerabilities in Siemens software, originally released in 1993, that could potentially impact millions of medical devices from multiple manufacturers. Siemens released updates for several of the affected products and the company advised users of unpatched devices to take countermeasures but did not identify any additional specific workarounds or mitigations, according to CISA.
While there are no known attacks that have specifically targeted the vulnerabilities, CISA said there is the potential for hackers to disrupt the operation of critical medical devices such as anesthesia machines and bedside monitors. FDA asked all manufacturers to assess their exposure to the vulnerabilities in the Siemens software.
Nick Yuran, CEO of security consultancy Harbor Labs, said some of the affected medical devices could have been in clinical use with these vulnerabilities for nearly 30 years, adding it's "another wake-up call" for the medtech industry about the hidden risks in legacy devices.
At the same time, a lot of hospitals don't have an accurate view of their inventories of medical devices, which makes it impossible to protect them from hackers.
A recent survey from the Ponemon Institute found only 36% of healthcare delivery organizations surveyed consider themselves effective in knowing where all medical devices are, while just 35% indicated they know when a device vendor's operating system is end-of-life or out-of-date.
When technology goes end of life, that "means end of security," according to Rob Suárez, Becton Dickinson's chief information security officer, who added it's very expensive to upgrade a large inventory of legacy devices.
"It's very important for medical device manufacturers and healthcare providers to work closely together to plan as part of procurement cycles for these necessary upgrades," Suárez said.
However, it is a massive challenge — especially for larger health systems that are dealing with a high percentage of legacy devices that are physically moved constantly within hospitals, AHA's Riggi argues. Clinicians often move these devices to different patient locations in facilities, placing them on the network and taking them off, which is far from optimal when trying to keep track of them, Riggi said.
"Sometimes a vendor will say, 'Well, the solution to that is you just need to buy a new device.' That's just not possible financially, especially given we have many hospitals and health systems that are under this crushing burden of COVID-19 and the financial pressure," Riggi said. "We have these devices that we cannot in many instances afford to replace."
While FDA has issued post-market guidance to medtechs on their requirements to secure medical devices, AHA contends that too often manufacturer support is lacking and hospitals must create their own custom device security controls, many of which are expensive, inefficient and do not scale.
Hospitals have "historically had these devices thrown over the fence" by manufacturers and "been told it's on you" once they are in operation on healthcare networks and behind firewalls, according to Vidya Murthy, COO of medical device cyber firm MedCrypt.
Murthy, who used to work for BD as senior manager of cybersecurity, contends that the device security demands on hospitals have built up to the point where healthcare organizations are "crumbling under the pressure" of trying to keep track of devices, let alone patching them.
"I think about the breadth of what a hospital has to manage," Murthy said. "It's not just a variety of devices but sheer volume. Some manufacturers are focused on just making a singular device and having cybersecurity dedicated just to that device and there's still vulnerabilities. It's an unrealistic expectation for hospitals to develop such an expertise per device."
Product lifecycle challenges
To start to help hospitals, FDA in July issued a discussion paper, following a 2018 report, in which it set a goal of strengthening and improving cybersecurity processes tied to the servicing of legacy devices used in healthcare settings beyond their intended lifecycles.
FDA noted that the original equipment manufacturers (OEMs) "have regulatory obligations regarding safety issues beyond security supportability, the individual components, such as operating systems and other third-party software components, may no longer be supported in advance of the healthcare establishment procurement cycles — or there may be financial reasons why a healthcare establishment elects to continue the use of a device past its end of life."
FDA warned that these unpatched medical devices will become increasingly vulnerable to cyberattacks over time and has called for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices' cybersecurity risks.
The agency has recommended the use of "responsibility agreements" between manufacturers and healthcare organizations regarding devices that may be able to stay within acceptable performance specifications via servicing, but will pose increasing cybersecurity risks the longer they remain in use.
However, Sensato CEO John Gomez believes there is a "misperception of responsibility" when it comes to device security that, fairly or not, places the burden squarely on the shoulders of hospitals, not device makers.
"I'm not minimizing the responsibility of device manufacturers. But, ultimately, when that device comes within the four walls of the hospital, they have to realize they are responsible. Patient safety and security is the hospital's responsibility," said Gomez, whose company has an agreement with FDA to share medical device and healthcare cybersecurity vulnerability information with stakeholders.
Gomez believes manufacturers have "stepped up" in terms of providing patches for legacy devices, while MedCrypt's Murthy contends most device makers are "trying to be good citizens" by putting out updates and providing information to hospitals on older medical devices that are still operating in the field.
However, hospitals are sometimes discouraged or even prohibited by manufacturers from doing the patches to devices themselves and for good reasons, said Erik Decker, chief information security officer at Intermountain Healthcare, during a virtual cybersecurity summit held last month by medtech BD.
"You can't just throw a patch on a device and assume that it's going to fix the issue because that patch could actually cause harm," Decker said. "It might not work properly or be quality checked. It could have its own consequences from a patient safety perspective."
Robert Smigielski, cybersecurity engineer at medtech B. Braun Medical, doesn't believe that healthcare organizations would know what to do with all the information on third-party software vulnerabilities, especially given the fact that hospitals must literally keep track of hundreds, if not thousands, of devices.
"We keep a handle on it. We're the medical device manufacturer. We have to know if there's an operating system that goes out of date. We plan for it — but, for the customer to know that?" Smigielski said. "We know that hospitals are out there running Windows 7 and they're kind of stuck with it. So, how is this going to help them? There's literally nothing they can do about it."
Intermountain's Decker emphasizes that healthcare delivery organizations have their own responsibilities when it comes to device security.
"We implement the devices. We have to manage and maintain them while they are used in clinical settings. That is our obligation," Decker said.
While MedCrypt's Murthy is sympathetic to the security demands weighing on hospitals, she believes that the burden shifts away from manufacturers when it comes to legacy devices that are no longer supported but continue to be used in healthcare facilities.
"If a hospital chooses to keep such an old device on the network well past when it should have been expired, they have to accept and understand the risk that comes with it," Murthy said.
Mandatory lifetime support
Hospitals complain they are forced to secure legacy devices over their useful lifetimes, such as medical imaging equipment, which can last decades, while many mitigation measures — such as firewalls, network segmentation, and taking devices offline — do not completely resolve the security concerns and can potentially impact clinical workflows and patient care.
The finalized postmarket guidance on cybersecurity explains FDA's present expectations for maintaining the security of deployed devices. However, currently, there is no statutory requirement (pre- or post-market) that expressly compels device manufacturers to address cybersecurity.
"One of the basic principles is security by design and providing the capability for the devices to be updated continuously. Lifetime support of the devices is another area that we'd like to see more manufacturers provide," Riggi said.
FDA, in the HHS fiscal year 2021 congressional budget justification, said it is seeking to require that devices have the capability to be updated and patched in a timely manner.
"Once the device is in their environment, hospitals need to know what security vulnerabilities are present and can be patched," Riggi said.
Suzanne Schwartz, director of CDRH's Office of Strategic Partnerships and Technology Innovation at FDA, told MedTech Dive the agency shares a similar sentiment. CDRH is developing an overall framework for consistent communication of medical device vulnerabilities.
FDA wants to have a new postmarket authority to require that medtechs adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified. In particular, Schwartz called out the importance of medical device companies publicly disclosing when they learn of a cybersecurity vulnerability so users know when a device may be vulnerable and to provide direction to customers to reduce their risk.
BD's Suárez says the company is committed to transparency when it comes to informing its customers and the industry about newly discovered vulnerabilities in its medical devices.
BD earlier this year claimed to be the first medtech company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority, under a program sponsored by CISA, in an effort to make accurate and timely information available to their customers about its product vulnerabilities.
"You can't protect what you don't know. That's why transparency is so essential for all of us in the ecosystem of medical technology ... to truly understand what the issues are in these third-party components that are used in medical devices, assess the risk and then communicate that risk to customers," Suárez said.
While there are some medtechs that already participate in coordinated vulnerability disclosures (CVD), FDA's Schwartz contends it's a small percentage of the medical device industry that currently does so as a best practice.
CVD, which is currently in FDA's postmarket guidance, is a core principle for helping hospitals to "be better prepared and have the tools in place to address issues that arise," according to Schwartz. However, Schwartz made the case that requiring CVD as part of additional legislative authorities will "level the playing field — right now it is more voluntary."
This process of a voluntary approach between FDA and the manufacturers has not gone far enough, as it is discretionary for the device makers whether they should comply or not, Riggi argued. "It's not binding. We'd like to see some of that guidance be made mandatory through regulation."
However, Zach Rothstein, AdvaMed's vice president for technology and regulatory affairs, said the FDA guidance on post-market cybersecurity is binding for manufacturers, while maintaining that device companies and hospitals share responsibilities to keep medical devices secure over their useful lifetimes.
"This is an area [legacy devices] where AdvaMed and AHA would be more likely to be a bit more at different ends of the equation," Rothstein acknowledged during BD's virtual cybersecurity summit last month. "The legacy issue is complicated and it's not something that anybody is happy exists today."
Still, AHA makes the case that legacy devices have long been sold to hospitals by medtechs and there is little incentive for manufacturers to address the security of their installed base of products. That's why the hospital lobby is pushing FDA to make it clear that security measures to protect legacy devices are required, not optional, and post-market cybersecurity is binding.
FDA's recent Medical Safety Action Plan states that the agency plans to consider new pre-market authority requiring manufacturers to build capabilities to update and patch device security into product design, while providing a Software Bill of Materials that identifies the third-party components in a device so that end users can better manage the cyber risks. The agency's plan also included consideration of new post-market authority to require manufacturers to adopt policies and procedures for coordinated disclosure of vulnerabilities when they are identified.
However, FDA has yet to implement these requirements for manufacturers as the cyber threats to legacy medical devices continue to grow.
AHA's Riggi ultimately wants to see regulatory obligations for device makers in the same way that the auto industry is regulated.
"Auto manufacturers are obligated to continuously provide support and correct potential safety and other defects in vehicles for the lifetime of that vehicle," Riggi concludes. "There are regulations on the safety features included in motor vehicles. We don't leave it to the auto industry at their own discretion to implement seat belts, airbags and recalls."