Cybersecurity is front and center in all industry

sectors now that practically everyone and

everything is connected to the internet. The

National Highway Traffic Safety Administration is

working on accelerating cybersecurity standards

for automakers now that today’s automobiles

are computerized (and some are self-driving),

creating the risk that hackers could remotely take

control of a moving vehicle. Recent headlines

have focused on hackers targeting law firms

by leaking confidential information, such as the

“Panama Papers,” or shutting down a firm’s email

and computer systems (and thus their billable

hours) through ransomware, as DLA Piper recently

experienced. Likewise, the retail and credit

industries have had their fair share of headlines,

including the recent Equifax hack in September.

Additionally, headlines featuring cybersecurity

concerns from hospital networks and device

manufacturers in the healthcare industry have

become more prevalent and pose significant

threats to patient safety, protected health

information, reputation, and even stock prices.

Having your credit card compromised is one thing;

but having a hacker steal your medical records

or access and remotely control your implanted

medical device is quite another. As devices become

increasingly connected and sophisticated, they

become more susceptible to cyber-attacks. In

order to protect patient safety as well as control

the negative publicity that stems from publicized

vulnerabilities, medical device manufacturers

need to proactively identify cybersecurity threats

and implement software or firmware updates to

mitigate threats.

WHAT MAKES THE HEALTHCARE INDUSTRY DIFFERENT?The healthcare industry is particularly vulnerable

to cyber-attacks in the form of unauthorized

access to protected health information (subject

to HIPAA and FISMA regulations), email phishing

and malware attacks on hospital networks, and

remote takeovers. device can allow attackers

to compromise an entire network. Hackers are

targeting the healthcare industry because patient

data is a valuable target, healthcare networks may

be less secure, there is an expansive victim pool,

and there is a lack of regulatory control on device

cybersecurity. Ransomware attacks on hospitals

are becoming more prevalent. This is a scenario

in which a hacker gains access to and encrypts

a hospital’s network and data, thereby forcing

hospital administrators to decide whether to pay

the hacker’s ransom demand in order to get the

encryption key or to shut down operations while

the authorities conduct an investigation.1

EXPECT TO SEE MORE WARNING LETTERS AND SAFETY ALERTS FROM THE FDA REGARDING FIRMWARE UPDATESThe most commonly described cybersecurity

threats to connected devices concern hackers

remotely accessing insulin pumps or pacemakers.

Pacemakers contain embedded computer

systems that can be vulnerable to cybersecurity

hacks. As medical devices become increasingly

interconnected via the Internet to hospital networks,

other medical devices, and smartphones, there is

an increased risk of exploitation of cybersecurity

vulnerabilities, some of which could affect how

a medical device operates. An episode of the TV

HAVING YOUR CREDIT CARD COMPROMISED IS ONE THING; BUT HAVING A HACKER STEAL YOUR MEDICAL RECORDS OR ACCESS AND REMOTELY CONTROL YOUR IMPLANTED MEDICAL DEVICE IS QUITE ANOTHER.

9 10

show Homeland depicted a scene where hackers

assassinated the Vice President of the United States

by remotely disabling his pacemaker. This scene

was reportedly inspired by Dick Cheney’s revelation

that he had the wireless function of his pacemaker

disconnected while he was Vice President because

he was concerned that hackers might access his

device remotely to harm him.2

On August 29, 2017, the FDA and Abbott, which

acquired St. Jude Medical earlier this year, issued

a safety notification encouraging patients with

implantable pacemakers to see their doctors

for firmware updates to the device hardware to

prevent their pacemakers from being hacked.3

Abbott issued a “Dear Doctor” letter the day

before describing the firmware update process.4

Firmware is a specific type of software embedded

in the hardware of a medical device. Although

there are no known reports of patient harm related

to cybersecurity vulnerabilities, the FDA’s safety

notification confirmed that the vulnerabilities are a

real threat because hackers could remotely harm

a patient by rapidly depleting the battery or by

sending inappropriate pacing or shock commands.

All medical device manufacturers should use

Abbott’s recent experience as an example of why

it is critical to proactively patch cybersecurity

vulnerabilities before hackers (or the FDA) create a

patient safety or PR nightmare.

A cybersecurity researcher brought potential

vulnerabilities to Johnson & Johnson’s attention

after identifying potential ways hackers could

exploit a cybersecurity flaw in its connected insulin

pump devices to remotely trigger additional doses

of insulin, which could be life-threatening in extreme

cases.5 On October 4, 2016, upon learning about

this vulnerability, Johnson & Johnson proactively

warned customers and provided advice on how to

fix the problem. This was reportedly the first time a

manufacturer had proactively issued such a warning

to patients about a cybersecurity vulnerability.6

manufacturer, the user, the Information Technology

system, hospitals, and Health Information

Technology developers and vendors.

Further, the FDA encourages hospitals and

device manufacturers to implement the National

Institute of Standards and Technology’s (NIST)

“Framework for Improving Critical Infrastructure

Cybersecurity.” The best way for device

FDA’S POSTMARKET GUIDANCETo help protect against the evolving threat of

hacking, the FDA has issued postmarket guidance

to medical device manufacturers for continued

monitoring, reporting, and remediation of device

cybersecurity vulnerabilities.7 Key takeaways

from the new guidance include: (1) Medical

device manufacturers should monitor, identify,

and address cybersecurity vulnerabilities through

the establishment of postmarket cybersecurity

management processes; (2) A risk-based

framework should be used for assessing when

cybersecurity-related device changes should be

reported to the FDA; and (3) Cybersecurity risk

management is a shared responsibility among

stakeholders that include the medical device

manufacturers to combat hacking threats is to

consider and evaluate cybersecurity vulnerabilities

through the total lifecycle of the device, from

building in cybersecurity controls during

development to continuously monitoring and

patching threats once the product is being used

by patients. The FDA’s guidance indicates that

manufacturers are not required to report to the

FDA routine cybersecurity updates and patches

(considered device enhancements), as long as

the risk of patient harm is controlled. In assessing

uncontrolled risk, “manufacturers should consider

the exploitability of the vulnerability and severity of

patient harm if exploited.” The FDA does not intend

to enforce reporting requirements under CFR 806

11 12

if all of the following circumstances are met: (1)

No known serious adverse events or deaths are

associated with the vulnerability; (2) Remediation

occurs within a tiered 30- and 60-day timeline;

and (3) The manufacturer actively participates as a

member of an ISAO that shares vulnerabilities and

threats that impact medical devices. Importantly,

device manufacturers may need to consider

implementing cybersecurity controls for legacy

devices that are connected to networks.

BEST “CYBER HYGIENE” PRACTICES: IDENTIFY, PROTECT, DETECT, RESPOND AND RECOVER.Taking into consideration the FDA’s Postmarket

Guidance, medical device manufacturers

and healthcare systems should implement

best “cyber hygiene” practices to establish a

proactive, comprehensive risk management

program to mitigate, monitor, and protect against

cybersecurity threats, including:

1. Automated monitoring of cybersecurity information

sources for identification and detection of

cybersecurity vulnerabilities and malware across all

medical devices, especially those devices that are

connected to networks;

2. Maintaining robust software lifecycle design

verification and validation processes that include

mechanisms for identifying and assessing risks, as

well as updating and patching to protect against new

vulnerabilities;

3. Educating and training company leadership and

employees on understanding, assessing, and detecting

the presence and impact of a vulnerability (such as

being aware of email phishing schemes and how to

avoid them);

4. Engaging in collaborative information sharing for

cybersecurity vulnerabilities and threats;

5. Proactively communicating cybersecurity updates and

guidance to patients and healthcare providers; and

6. Establishing an incident response and corrective

action plan for handling a cyber-attack if one

occurs, including investigation, managing the event,

preserving the evidence, complying with privacy laws,

and notifying the applicable regulators.

One thing is very clear: manufacturers need

to understand, assess and detect the level of

potential risk that cybersecurity vulnerabilities

pose to patients and then implement processes to

continuously monitor and rapidly detect and patch

those vulnerabilities before they are exploited.

Manufacturers have the obligation to ensure that

connected legacy devices are still able to protect

patient data and mitigate cybersecurity threats.

Failure to properly assess cybersecurity risks of

connected devices during the premarket phase

is likely to lead to the FDA rejecting or delaying

devices from coming to market. Similarly, failure

to continuously assess and patch vulnerabilities of

connected devices already on the market is likely

going to result in FDA warning letters or other

enforcement action, negative publicity, damage

to reputation and patient trust in the company,

and, most importantly, potential harm to patients.

Lastly, healthcare systems should be cognizant of

the devices that are connected to their networks

and have processes in place for monitoring and

detecting cybersecurity threats.

1. Should Hospitals Pay Up Following A Ransomware Attack? The Answer is Far From Simple (Evan Sweeney, April 27, 2017), http://www.fiercehealthcare.com/privacy-security/should-hospitals-pay-up-following-a-ransomware-attack-answer-far-from-simple.

2. Medical Device Cybersecurity: Maybe Dick Cheney Was Not So Paranoid After All, Drug & Device Law Blog (Steven Boranian, Sept. 4, 2015), https://www.druganddevicelawblog.com/2015/09/medical-device-cybersecurity-maybe-dick.html.

3. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm.

4. https://www.sjm.com/~/media/galaxy/hcp/resources-reimbursement/technical-resources/product-adviseries-archive/cybersecurity-pacemaker-firmware/pacemaker-firmware-update-doctor-letter-aug2017-us.pdf?la.

5. J&J Warns Diabetic Patients About Hacking Risks of Insulin Pumps (Michelle Cortez, Oct. 4, 2016), https://www.bloomberg.com/news/articles/2016-10-04/j-j-warns-diabetic-patients-about-hacking-risks-of-insulin-pumps.

6. J&J Warns Diabetic Patients: Insulin Pump Vulnerable to Hacking (Jim Finkle, Oct. 4, 2016), http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e/jj-warns-diabetic-patients-insulin-pump-vulnerable-to-hacking-idUSKCN12411L.

7. Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Issued on Dec. 28, 2016), https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf.

PAUL S.ROSENBLATT

13 14