A recent cybersecurity scandal involving St. Jude’s Merlin@home device sparked a renewed discussion within the medical device industry about the best way to address security flaws discovered by independent security experts, sometimes called “white hat” hackers. As medical devices become increasingly vulnerable to cyber attack, the industry has broadly accepted its new responsibility of continuously protecting approved devices from potential security breaches.
“The FDA is serious about cybersecurity,” said Kevin Fu, director of the Archimedes Center for Medical Device Security at the University of Michigan. On January 12, the Agency hosted a webinar outlining its new guidelines for approved devices. Part of the FDA guidance, which was finalized in December 2016, encourages companies to audit their own products by partnering with independent security experts. The FDA also encourages independent auditors who discover vulnerabilities to bring that information to the company or the FDA directly, a concept called “coordinated disclosure.”
That is not what happened in the St. Jude case, which began in August when the investment firm Muddy Waters published security flaws in the company’s Merlin@home transmitter, shorting St. Jude’s stock. “We felt notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug,” said Muddy Waters in prepared remarks.
St. Jude, which was recently acquired by Abbott Laboratories, sued Muddy Waters and called the allegations “misleading,” but an investigation by the FDA and the Department of Homeland Security later confirmed remote hacking was possible. To date, there is no evidence that any devices were actually hacked, and St. Jude released a software patch to address the vulnerability, with additional updates pending. A St. Jude representative said the company is “a strong supporter of responsible disclosure” of vulnerable information.
“Any new cardiac devices submitted to the FDA for review by St. Jude Medical that use the Merlin@home Transmitter will not be cleared or approved without the Merlin@home software update installed and without adequate assurance that appropriate cybersecurity controls are in place,” said Suzanne Schwartz, M.D., MBA, associate director for Science and Strategic Partnerships, Center for Devices and Radiological Health, FDA.
Despite the dramatic twists-and-turns of the St. Jude story, it did not have any bearing on the already robust collaborations among industry groups working to bolster medical device cybersecurity, said Bill Aerts, retired director of Global Medical Device security at Medtronic. But it did raise a very serious question about the role of third party security experts, and how they chose to handle information about potential vulnerabilities.
“Disclosing information about potential vulnerabilities before they have been properly assessed by the device manufacturer and/or the agency has the potential to provide misinformation to the public,” said Schwartz. Public disclosure “may put patients at a greater risk by providing information that could lead to the exploitation of the vulnerability by individuals seeking to do harm before it can be fixed,” she added.
The tension between independent security researchers and medical device companies is hardly new. In 2008, researchers proved it was possible to eavesdrop on an FDA-approved implantable cardiac defibrillator, and three years later, a diabetic patient named Jerome Radcliffe made headlines when he partially reverse engineered his own insulin pump.
These events encouraged the FDA to take the lead in responding to cybersecurity threats, and spurred the formation of industry groups such as the National Health Information Sharing and Analysis Center (NH-ISAC); the Medical Device Innovation, Safety and Security Consortium (MDISS); and the Archimedes Center for Medical Device Security at the University of Michigan.
Today, most medical device companies have broadly accepted the idea that continuous security monitoring is an essential part of any product’s post-market safety plan. “The industry in large part is shifting from the question of ‘Do I need cybersecurity?’ to ‘How do I do cybersecurity?’” said Stephanie Domas, lead security engineer for Battelle’s DeviceSecure Services. As such, device companies are increasingly hiring independent IT firms to conduct “hands-on penetration testing,” she said.
“Effective collaboration requires understanding on both sides of the fence, with both industry and security researchers,” said Domas. “Yes, many security researchers may be acting in direct violation of your user agreement when they reverse engineer your device. But if they have come forward to notify you about a potential vulnerability, it’s because they have the best interests of patients in mind,” said Domas.
Although the FDA’s guidance is not legally binding, medical device company executives are taking this issue seriously, said Medtronic’s Aerts. “Companies I work with range from large to startups, and they all understand and appreciate that security is a thing they need to do, and are allocating resources for it,” said Domas.
Despite the growing risk of security breaches, for patients in need of life-saving devices, “the risk of it being attacked is far less than the benefit of therapy that can be delivered,” said Aerts.
“Medical device security is a solution, not a problem,” added University of Michigan’s Fu. “Cybersecurity gives patients the confidence to benefit from life-saving diagnostics and therapies.”
This article was reprinted from Volume 21, Issue 02, of CWWeekly, a leading clinical research industry newsletter providing expanded analysis on breaking news, study leads, trial results and more. Subscribe »