ATLANTA – Cybersecurity threats are becoming increasingly prevalent in the med-tech industry. Large companies are not immune to these attacks and are in some cases more of a target than smaller firms. Earlier this month Abbott Laboratories Inc. received an FDA warning letter, citing vulnerabilities with its pacemakers. (See Medical Device Daily, April 17, 2017.) The Abbott Park, Ill.-based company was brought up as an example of the growing threat of cybersecurity breaches during a panel at the Southeastern Medical Device Association's (SEMDA) annual meeting, Wednesday.
Panelists presented data from BBR Services that showed 56 percent of the data breaches in the U.S. occur within health care. Panelist Kristen Woodrum, a partner at Baker & Hostetler LLP, said there is a lot of data flowing around, noting that it must be adequately protected.
"For medical devices, the risks and the stakes are a little bit greater," Woodrum said during the panel. "These are real life issues and actual concerns."
The fear of a hacking attempt caused Dick Cheney's doctor, Jonathan Reiner, to have the wireless functionality disabled on the former vice president's heart implant. (See Medical Device Daily, Aug. 6, 2015.) Reiner's concern was that a hacker could, in theory, access the device as part of an assassination attempt.
Medical devices are particularly vulnerable because they tend to be on outdated operating systems or systems that do not receive the same level of patching and updates as businesses. Often, device manufacturers prohibit patching or invasive monitoring, which results in malware infestations that IT and biomedical teams are not able to effectively monitor or manage.
The FDA has stepped up its efforts to combat the hacking of medical devices, said panelist Vimala Devassy, an attorney at Baker & Hostetler LLP.
"The FDA has been called in the last few years to close that security gap," Devassey told the audience. "We can only expect FDA to get more active in this area, as they are the one agency policing this activity."
In May of 2015, FDA issued guidance on the topic, which it said was intended to clarify how existing quality regulations apply to cybersecurity maintenance activities.
"These vulnerabilities may represent a risk to the safe and effective operation of networked medical devices and typically require an ongoing maintenance effort throughout the product life cycle to assure an adequate degree of protection," the FDA said in the May 2015 guidance.
Since then, the FDA has been hammering down on cybersecurity vulnerabilities in devices. Abbott inherited its cybersecurity woes when it acquired St. Paul, Minn.-based St. Jude Medical Inc. for $25 billion. (See Medical Device Daily, Jan. 5, 2017.)
The cybersecurity issues stemmed from problems with its high voltage and peripheral devices that were the subject of much back-and-forth between St. Jude and investment research firm Muddy Waters Research. St. Jude had long protested that the accusations from Muddy Waters, originally based on information from cybersecurity firm Medsec, were unfounded. But this month's FDA warning letter makes clear that cybersecurity has been – and continues to be – a problem for these St. Jude, now Abbott, devices.
"Data and security of the device is just as important now as safety," said panelist Courtney Warren, a risk consultant and property and casualty insurance broker at Rosenfeld Einstein, a Marsh & McLennan agency.
CYBERSECURITY ISSUES RAMPING UP
Cybersecurity issues are not new to the device industry, but it has been a growing concern over the past couple of years. In 2015, the FDA told hospitals not to use the Symbiq infusion pump from Lake Forest, Ill.-based Hospira Inc., now owned by Pfizer Inc., because of specific cybersecurity vulnerabilities associated with the device. The company later issued guidance on the topic to clarify how existing quality regulations apply to cybersecurity maintenance activities. The topic has also gained attention at industry events over the past year, including the annual meeting of the Advanced Medical Technology Association (AdvaMed). (See Medical Device Daily, Oct. 7, 2015.)
In October 2016, New Brunswick, N.J.-based Johnson & Johnson's Corp.'s diabetes unit warned patients that the Animas Onetouch Ping insulin pumps may be vulnerable to a cyberattack, but the probability of one of the devices actually being hacked is "extremely low," the company said. (See Medical Device Daily, Oct. 5, 2016.)
Dublin-based Medtronic plc dealt with a similar issue with one of its infusion pumps back in 2011 after security software manufacturer Mcafee alerted the company to a flaw in some models of the Paradigm insulin pumps.
At a heavily attended AdvaMed panel in 2015, Scott Rea, vice president of government and education relations at Digicert Inc., said device companies would be better off putting a plan in place for when a cybersecurity issue does happen, rather than focusing all the attention on preventing an attack.
But there is no simple answer. SEMDA panelists said device makers and health care facilities that adopt the technology need to be concerned with how the device can be protected as soon as it is used.
"It's no longer just about the design and development of the medical device," Devassey said. "It's really about how are you going to support the device through its life cycle and how are you going to [keep up with] the patches to prevent vulnerability of the device."