Experts put medical devices at the top of the cybersecurity threat list, but the latest FDA Guidance recommends ways for manufacturers to mitigate the risk.
Hackers are nasty. They do awful things to organizations across every industry, not just pharmaceutical companies. Infecting your technology with ransomware is among the foulest things a hacker can do. In a typical scenario, a shyster hijacks your IT infrastructure and blocks access to applications and data until you cave in to their demands. In 2016, the average ransom demand was $679 (up from $294 in 2015). Would you pay $679 to re-gain access to your company’s important information? Surprisingly, not many enterprises do: Only five percent consider forking over the ransom, out of principle and based on doubt that the cybercriminal will actually live up to their word.
A new spin on the same scenario. Only this time, the hacker isn’t holding IT access for ransom: They’re taking control over the medical device developed by your organization and implanted into the bodies of thousands – or hundreds of thousands – of patients. Pacemakers, insulin pumps, drug infusion pumps are going to stop working in # days/hours/minutes unless you pay the piper. Or, the surgical robots your company pioneered are going to be hacked through a hospital’s network, causing havoc in the middle of a procedure. Suddenly, $679 doesn’t sound so bad compared to the risk to patient safety – and negative press about to surface, with your company at the vortex of the storm.
Maybe you never considered this situation unfolding, but experts have. Popular Science called medical devices the biggest cyberattack threat of 2016. CNBC reported on Johnson & Johnson’s warning to users of its Animas OneTouch Ping insulin pump, saying that cyber attackers could disable the device or alter dosages.
And you know things are serious when the FDA speaks, like they did via Final Guidance for Industry released December 28, 2016: Postmarket Management of Cybersecurity in Medical Devices. In a nutshell, the FDA stands by a risk-based approach – which is pretty much its only option, since all medical devices include both risks and benefits, and risks can’t be completely eliminated in any device. So, the agency recommends that manufacturers identify, assess, and mitigate through risk management programs that should include:
- Monitoring initiatives to identify and detect cybersecurity vulnerabilities;
- Properly maintaining the lifecycle processes of the software supporting the device;
- Implementing measures to detect the presence and impact of a breach;
- Adopting processes to manage and communicate a vulnerability;
- Developing mitigation programs that protect against, respond, and recover from a cyber threat;
- Establishing a risk disclosure policy; and,
- Deploying mitigation measures that manage threats early, potentially prior to exploitation.
What does all this mean for manufacturers of medical devices? Boosting their investment in cybersecurity, an area where some experts would say the industry is underspending: Healthcare spends an average of less than six percent of their IT budget on security – compared to the federal government and financial institutions, at 16 percent and 12-15 percent respectively.
As long as there’s a computer involved, there’s a threat. No device is 100 percent impervious to hacking, but the stakes are higher when a medical device is involved. Still, risk analysis tells you that the benefits of these medical devices far surpass the risk of a cyberattack. So manufacturers must mitigate through robust risk management programs, with the focus on maintaining the right balance between risk and benefit.
By Marc DeLeuw