The FDA has made medical device cybersecurity a high priority, even as it stresses that there have been no reported incidents of malicious medical device hacks or of patients harmed by a security-related issue.
But that assurance is based more on assumption than fact, experts say. And other evidence gathered in real-world healthcare environments suggests that the lack of cybersecurity reports at the FDA is more suspicious than comforting.
"I think we’re making a reasonable assumption that [malicious hacking] hasn’t happened, but it’s not based on any empirical evidence one way or the other," Codenomicon medical security global director Mike Ahmadi told MassDevice.com in an in-depth interview. "It may have happened."
Experts like Ahmadi, whose company is helping to provide the tools for the FDA’s newly announced "cybersecurity lab," temper their remarks by explaining that the risks of a medical device hack pale in comparison to the devices’ life-saving benefits. But they also want patients to be aware of the risks, however small they may prove to be.
"I hear this argument all the time, from vendors especially, that it hasn’t happened yet, that it isn’t really a security concern," medical device hacker and cybersecurity expert Jay Radcliffe told us after his recent presentation at the Black Hat cybersecurity conference in Las Vegas. "Does that mean we should just ignore it?"
Absence of evidence is not evidence of absence
Researchers have warned that the FDA’s adverse event databases are suspiciously lacking in cybersecurity issues, while reports from other healthcare systems suggest that malware infections are all but ubiquitous. During a period of time in which FDA’s recall and adverse events databases contained zero software security issues, the U.S. Veterans Affairs Dept. was reporting an average of more than 70 incidents each year.
In a study published last summer, Massachusetts researchers examined the FDA’s publicly available databases for signs of privacy- or security-related reports, finding that "the FDA recall database did not yield any recalls related to patient security or privacy over a 9-year period of analysis." The study also examined the FDA’s MAUDE adverse event database, finding a similar void.
"We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device. The reality of it is it can be done. And we need to protect people against that" – Codenomicon’s Mike Ahmadi
"While the lack of any security or privacy concerns through these 2 mechanisms may be reassuring, it seems more likely that the current recall classification scheme does not adequately capture device malfunctions of this type," according to the study.
The FDA’s apparent lack of medtech security data also contrasts heavily with trends reported by the VA’s Office of Information Security, which maintains statistics on malware infections for more than 150 agency medical centers. In a 2-year period, between January 2009 and December 2011, the VA office reported 142 separate incidents affecting 207 medical devices. Infected devices included radiology systems, cardiology imaging, the GI lab and more. In at least 1 incident, patients had to be transported to a different clinic because a malware infection took necessary devices out of commission.
Experiences at VA hospitals are especially telling, because the veterans agency is considered 1 of the most forward-thinking on the issue of healthcare cybersecurity. The VA is an important bellwether for healthcare data management, in part because it’s required by mandate to maintain certain security standards and partly because VA officials are liable to Congress when things go wrong.
"If you want to identify an organization as being the most forward-thinking, the most innovative and the most proactive enterprises in the country regarding medical devices and security and safety, [it’s] the VA," Medical Device Innovation, Safety & Security Consortium co-founder and executive director Dr. Dale Nordenberg told us. "I just can’t emphasize enough the difference they’re going to make in terms of the lives of people in this country."
The prevalence of software security issues reported at VA hospitals prompts a question: Why aren’t similar trends cropping up in the FDA’s data? It may be in part because the FDA’s databases aren’t structured to look for them and in part because device users may not know how to identify cybersecurity issues when they occur.
"We believe that the inconsistency between databases is due to lack of a meaningful and convenient reporting mechanism, but we also believe that clinicians without expertise in computer security are unlikely to recognize the difference between a virus infection and a crashed or slow computer," according to the Massachusetts researchers. "To detect a security or privacy problem that could harm patients, a more effective information sharing system for medical device cybersecurity should be established."
Radcliffe, who burst onto the medical device cybersecurity scene when he hacked his own insulin pump live on stage during a Black Hat presentation, has also raised concerns about the FDA’s adverse event reporting system, warning that real problems may be obscured by hundreds, if not thousands, of unhelpful reports that are all lumped together.
"I can look through those experiences … and look for bugs – sort of," Radcliffe told MassDevice.com after his Las Vegas presentation, in which he warned of a "flaw" in a Johnson & Johnson (NYSE:JNJ) insulin pump (J&J told us that the "flaw" is in fact a deliberate design feature). "But there are so many of them, there are so many dropped-in-the-toilet stories, or, ‘I put the battery in backwards and it didn’t work.’ It’s hard to find substance in a lot of that. It’s literally looking for a needle in a haystack."
Interrogating the machine
The missing link might be found by examining a patient’s medical device, either after an adverse event or post-mortem, to determine whether there was any sort of anomaly that could indicate foul play. But many devices on the market today don’t maintain the internal record-keeping that could record malicious hacking, or demonstrate definitively that there was none involved.
"Implanted devices by and large do not log; many medical devices don’t have any logging whatsoever," Codenomicon’s Ahmadi told us. "We’re making assumptions when we’re stating that no one has ever been maliciously killed with an implanted device."
Codenomicon is helping integrate testing tools to make sure new devices can maintain data security and integrity when faced with some common penetration methods for the FDA’s cybersecurity project. The lab marks the FDA’s most recent foray into medical device cybersecurity oversight, following an agency statement issued earlier this year asking medical device makers to begin documenting their security efforts.
The new lab marks a huge stride forward in medical device security oversight, but it’s also an uncertain one. The FDA hasn’t really outlined what the lab will do or whether the agency plans to routinely test new devices.
"While I think the FDA opening a cybersecurity lab is particularly wonderful of them, the FDA is not stating that they’re going to test these products," Ahmadi noted. "So what does that mean?"
What is the risk, really?
Although cybersecurity researchers are adamant that healthcare technologies need stronger defenses, they don’t minimize the value that medical devices offer to patients. Even with security concerns, the benefits far outweigh the risks, Radcliffe said.
"One of the things that I’m very careful about saying is that if you have a child or if you wear 1 of these devices, keep wearing it. It is safe," Radcliffe said. "Now, are there concerns? Yes. But you know that your credit card can get stolen when you shop on Amazon. There’s a risk to that, but you still shop at Amazon."
Rather than scaring patients away from medical devices, Radcliffe hopes to raise awareness so that consumers can make more informed choices about their healthcare. He likened the issue to a variety of potentially risky daily choices that people face, including the risk of getting into a car accident each time you get behind the wheel or the risk of having your identity stolen when you hand over your credit card at a restaurant.
“If you have a child or if you wear one of these devices, keep wearing it. It is safe.” – Jay Radcliffe
"You’re aware of that risk, you can make a decision," Radcliffe said. "You’re aware that there are some concerns with medical devices, so you’re going to be more careful with them. It’s not a perfect thing. Just like a computer, it’s not perfect, so you’re going to be a little cautious about it."
Security ahead of the curve
Ahmadi and Radcliffe both hope to see companies more actively defend their devices by finding and patching vulnerabilities before the "bad guys" can get their hands on them. Budgets are tight and medical devices already face a barrage of regulatory concerns before they hit the market, Ahmadi conceded, but security is an ever-increasing issue and the medtech industry would do well to stay a few steps ahead.
Some companies have made strides in building robust security into their devices, but few are talking about the issue in the public.
"I would love organizations to take a more proactive approach, and some of them do take a very proactive approach," Ahmadi told us. "Intuitive Surgical (NSDQ:ISRG), which is one of our biggest customers, is extremely proactive. No one has ever attacked them, but they are doing an absolutely amazing job – even though no one’s forcing them to."
Other industry leaders, such as Medtronic (NYSE:MDT), have also made cybersecurity an important imperative for new generations of devices. CEO Omar Ishrak told MassDevice.com that security was a “high priority” for the pure-play medical device giant.
"It’s something that we’re working on and at the same time we’re cognizant that we need to work with others," Ishrak told us when we caught up with him at a conference last fall. "There’s a lot of innovation in this area, a lot of fast-moving innovation, and we just need to be on top of the dynamics."
The Medical Device Innovation, Safety & Security Consortium plans next month to release a pair of pilot programs that will provide medical device makers a set of shared cybersecurity guidelines and give healthcare providers a tool that allows them to assess and compare the cybersecurity capabilities of medical devices before they buy them. MDISS operates partly on the premise that pretty much all networked technology, including medical technology, is hackable and therefore at risk, but also emphasizes that healthcare systems are willing to pay for more security.
With so many security experts warning that it’s just a matter of time before medical device hacks move from theory to reality, Ahmadi hopes that security will out-pace crime, but he’s not always optimistic.
"The problem in terms of medical device security is going to get worse before it gets better," he lamented. "What we’re really talking about is criminal activities, we’re talking about somebody maliciously going after someone who’s weaker and using a life-saving device as a weapon against them.
"The reality of it is it can be done. And we need to protect people against that."