June 11, 2019 -- Connectivity, interoperability, and electronic data exchange are important technological advancements, but they also bring security concerns for manufacturers and users of in vitro diagnostics and other clinical lab equipment.
The use of internet- and network-connected devices, wireless devices, and flash drives is growing, as is the electronic exchange of data from patient electronic health records and other medical devices. Also growing is the potential for healthcare cybersecurity threats, which has created the need to implement effective cybersecurity precautions and strategies.
The cybersecurity issues plaguing healthcare have included malicious software that compromises IT system integrity and patient privacy, along with hacks that interrupt a medical facility's provision of patient care. Such threats are posing new risks to patients and clinical operations. The threats have become more frequent, severe, and clinically impactful, making some medical devices and provider networks inoperable. Cyberattacks can hinder diagnoses or treatment, negatively affecting patient outcomes.
With these issues in mind, the U.S. Food and Drug Administration (FDA) issued draft premarket cybersecurity guidance in October 2018 that updates recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks. Products at risk for a potential hack include IVD instrumentation, analyzers, and other tests and equipment routinely used in clinical labs. The time period allowed for comments on the guidance ended in March.
Nailing the details
In the draft guidance, the FDA proposed a cybersecurity bill of materials (CBOM) for medical devices. The CBOM would be submitted to the agency by device manufacturers before their devices reach the market. It would be in a machine-readable, electronic format and contain a list of the components in a device, including commercial, open-source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.
The information in the CBOM would enable device users -- including patients, providers, labs, and healthcare delivery organizations -- to effectively manage their assets and to understand the potential impact of vulnerabilities to the device and to a connected system. The information also would help users apply countermeasures to maintain the device's essential performance.
"The potential for cybersecurity issues is very real," said Wil Vargas, a director of standards at the U.S. Association for the Advancement of Medical Instrumentation (AAMI). "It's a potential that any sector experiences as it matures and becomes more sophisticated.
Medical devices don't operate on their own anymore; they are part of a system and must communicate with other pieces of equipment, Vargas explained. Manufacturers (of these devices) and patients benefit when the elements come together and work together as part of a larger system. But that brings risks, he said.
The availability of a CBOM would allow potential purchasers to learn about the inner workings of a device and determine if they could manage the cyberrisks involved before they purchase the product, he noted.
"I think the concept of a CBOM is interesting and would help users and manufacturers manage a device from a risk perspective," Vargas said. "But it might be difficult to implement when it comes to determining the depth of information that should be included."
The FDA last issued guidance on cybersecurity issues in 2014, and its update is meant to ensure that manufacturers are adequately addressing issues that are currently relevant for device design, labeling, and documentation, said Bethany Hills, chair of FDA practice, at the law firm Mintz in New York City.
The updated guidance reflects new policy thinking that will help companies assess the security required for their devices. The agency is proposing the CBOM as a new component that requires manufacturers to share information with device users, so that users can perform their own risk assessment of their devices and systems, Hills explained.
The FDA's goal is to establish a risk-based framework for manufacturers based on the level of risk of their devices. The guidance includes two tiers of cybersecurity risk: A device has a tier 1 risk if it can connect to a network or the internet and if it could be involved in a hack that could harm a patient. Tier 1 devices include connectable implantable defibrillators or pacemakers. Tier 2 risk involves any device that does not meet tier 1 risk criteria.
"What the FDA is really worried about is that someone could hack into a device, like a pacemaker, and directly control the device, potentially causing harm to a patient," Hills said. "Hacking also could change important test results and potentially cause harm to patients as well."
Make cybersecurity integral
Vargas said the best way to make a medical device secure is to build security as an integrated element into the device at the start, instead of considering security later as an "add-on."
"It becomes native," he said. "It's not an afterthought. It's a part of understanding the device."
He went on to explain that security isn't just about the standalone device, but rather making sure that an entire integrated system is secure. "If you have one infiltrated device, you don't want it to propagate into the other devices," he said.
Essentially, manufacturers, health systems, and the FDA must collaborate to adequately address potential cybersecurity risks and protect patient health.