On October 1, 2019, the U.S. Food and Drug Administration (FDA) issued a Safety Communication that was a thinly veiled wake-up call to patients, doctors and manufacturers about potential cybersecurity vulnerabilities in software used in a wide range of connected medical device security.
At the time of writing, there haven’t yet been any adverse events confirmed or related to the 11 identified vulnerabilities – referred to as “URGENT/11” by an unidentified security firm, and including function change, denial of service and data leaks – but the simple truth is that the malicious software to exploit them is already publicly available.
And, scary as it is, this isn’t the first such warning over medical device cybersecurity risk, and it definitely won’t be the last.
In June 2019, for instance, a device manufacturer recalled certain versions of its insulin pumps over cybersecurity problems. All the way back in March, the FDA sent out a warning about vulnerabilities in implantable cardiac defibrillators … that, in an ironic twist, were produced by the same manufacturer.
Hundreds of thousands of implantable devices have been recalled in the past several years over cybersecurity problems or concerns. In 2017, a leading medical device manufacturer voluntarily recalled 465,000 pacemakers that it said needed to have a firmware update – in other words, a security patch. Months later, only 25 percent of devices had reportedly been upgraded.
These identified digital vulnerabilities could have grave consequences for patients. For starters, there’s the possibility that hackers could cause an implanted device not to work properly (or at all). A malicious actor could, for example, command an insulin pump to deliver the wrong dose, resulting in dangerous blood sugar levels for the person with the implanted device.
And it’s not just implantable devices—any internet-connected device can be impacted. In 2018, Israeli researchers demonstrated that cyberattackers could hack into imaging devices and change the results, potentially putting patients’ lives at risk. In addition to accessing device function, hackers may also target electronic private health information (ePHI), a strategy that has the potential for massive data breaches.
Taking all of that into account, it’s clear cybersecurity risks are growing for manufacturers and the patients who rely on their devices for lifesaving medical care. In this post, we take a deeper dive into some of the biggest areas of exposure, new FDA guidance and discuss how manufacturers can leverage an automated quality management system (QMS) to better protect patients and healthcare providers.
Medical Device Cybersecurity Weak Spots
We should start by noting that certain vulnerabilities are, of course, completely outside of manufacturers’ control, such as when hospitals connect legacy devices to their internal network without updating them properly.
That being said, there are a number of common (and preventable) flaws that leave medical device manufacturers open to recalls—and patients at increasing risk of harm. Some of the top risks include:
- Devices built on third-party software that can be decades old (this is the case with the identified URGENT/11 vulnerability)
- Insufficient security controls such as anti-virus or encryption protections built into devices at the design stage
- No established procedures for patching known security vulnerabilities
- Inability to patch or update devices at all
New FDA Guidance Is On The Way
Recently, multiple regulatory agencies worldwide have published medical device cybersecurity guidance for premarket submissions, including France’s National Agency for the Safety of Medicines and Health Products (ANSM), Health Canada and Australia’s Therapeutic Goods Administration.
New device cybersecurity guidance is slated to be finalized by the FDA as well, with draft guidance released for comments in October 2018. Documentation related to the requirements of the FDA’s Quality System Regulation (QSR) – otherwise known as 21 CFR 820 – is often a part of the premarket submission, and the guidance states that a manufacturer must “establish and maintain procedures for validating the devices design” and include “software validation and risk analysis, where appropriate.”
When you consider that the most recent FDA-published guidance dates back to 2014 – a huge gap given the rapid rate at which cybersecurity risks continue to evolve – then it becomes crystal clear that medical device manufacturers will need to keep an eye on the compliance landscape.
Once finalized, the new FDA guidance will obviously replace the 2014 document. Specific recommendations for industry to implement in areas will include device design, labeling and premarket submission documentation. And while a date for this finalized guidance has not yet been revealed, and in accordance with widely accepted risk management procedures, the agency recommends manufacturers:
- Proactively identify potential threats and vulnerabilities
- Assess the impact of those threats on device function as well as patients
- Assess the probability of hackers exploiting identified threats and vulnerabilities
- Determine associated risk level and mitigation options
- Assess residual risk and risk acceptance criteria to determine when additional controls are needed
While these are non-binding recommendations, manufacturers would be well-advised to follow them as soon as possible, the FDA said.
With that in mind, the forthcoming guidance will not only help manufacturers protect patients – a quality goal that should be the bare minimum, naturally – but also ensure an efficient premarket review by demonstrating device security to regulators.
How an Automated QMS Can Reduce Device Cybersecurity Risk
The recent URGENT/11 warning may only be one of the many cyberthreats out there, but it serves to remind manufacturers that physical quality is only one part of the overall product lifecycle. In fact, the FDA has recommended that device manufacturers undertake a risk assessment sooner rather than later to determine whether their products are impacted.
From a larger perspective, however, protecting patients goes beyond a one-off risk assessment or activities based around reacting to problems. Instead, manufacturers must recognize the importance of an integrated QMS within the context of device cybersecurity.
Device safety starts with design, making it critical that companies leverage risk management tools like failure mode and effects analysis (FMEA). An effective FMEA allows teams to proactively assess all the ways a device could digitally fail—and what controls need to be implemented to prevent such failures.
What’s more, organizations can’t just complete these types of assessments and then just toss them in a drawer somewhere or add them to a spreadsheet. Rather, they need to be constantly updated to incorporate new information and ask whether threats identified in FMEAs could apply to other product types.
Finally, organizations must have the high-level visibility and control over their quality processes to fully integrate this information into every area of their working practices, from change management to document control to employee training.
Medical device cybersecurity risks are growing more complex by the day, and there are no easy answers when millions of susceptible or vulnerable devices are already in use. And while emerging guidance is undoubtedly helping manufacturers integrate on a set of best practices for reducing these risks, companies with an integrated QMS are already a step ahead.
ETQ has been a leader in quality management software since 1992, and is trusted by over 550 global customers. With more than one million end users in a variety of industry sectors, ETQ’s mantra that quality creates limitless possibilities drives our SaaS solution forward, providing companies with the insights that they need to succeed in a competitive marketplace.
To find more about how ETQ can help move you along your quality journey, contact us today to request a demo.