Some weeks, the FDA does not publish much new information. June 2013 was a week like that. It seemed like I was scraping the bottom of the barrel when I came across an FDA Safety Communication on cybersecurity for medical devices and hospital networks. I explained to my editor at Medical Law Perspectives that I had nothing else to choose from so I was stuck with a cockamamie topic. But my editor said to keep an eye out for more medical device cybersecurity risks as this was going to be a hot news topic.
Then, in 2015, the news shifted from abstract administrative guidance to specific medical device safety alerts. First, as noted in the May 25, 2015 Scalpel Weekly News, “Infusion Pumps Have Cybersecurity Vulnerabilities,” the FDA issued a Safety Alert regarding the cybersecurity vulnerabilities of Hospira’s LifeCare PCA3 and PCA5 infusion pump systems. Second, as noted in the August 17, 2015 Scalpel Weekly News, “Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System,” the FDA issued a Safety Alert regarding the cybersecurity vulnerabilities of Hospira’s Symbiq Infusion System.
The last indication of a shift from abstract guidance to specific issues with specific medical device issues was the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advisory published on May 13, 2015 regarding Hospira’s LifeCare PCA3 and PCA5 infusion pump system,“Hospira LifeCare PCA Infusion System Vulnerabilities (Update B),” The ICS-CERT is a sub-sub-sub-unit of the Department of Homeland Security. Its “mission is to guide a cohesive effort between government and industry to improve the cyber security posture of control systems within the nation’s critical infrastructure.” Its focus is by no means medical devices. The advisory basically stated the same information contained in the FDA Medical Device Safety Announcement issued the same day, except the ICS-CERT wrote in language that only the hospital’s IT department could understand.
However, in addition to the shift from abstract advice to concrete cybersecurity vulnerabilities of specific medical devices, I discovered something interesting in reviewing those two FDA safety alerts and the ICS-CERT advisory for this blog. On June 10, 2015, the ICS-CERT updated the advisory it issued on May 13, 2015, with “ICSA-15-125-01B, Hospira LifeCare PCA Infusion System Vulnerabilities (Update B).” The updates were significant in the following three key ways.
First, there are the sheer quantity of “updates” within the advisory: nine. A very unscientific sampling of advisories updated by the ICS-CERT (I Googled, “Update “Part 1 of” site:https://ics- cert.us-cert.gov/advisories/”) returns 101 results, from which one might infer that the ICS-CERT has only ever updated 101 advisories. Of those 101 updated advisories, the average number of updates per advisory was 2.1, the mode was 2. The updated advisories with the next highest number of updates only had five updates, and there were only two advisories with even that many.
There were 34 updated ICS-CERT advisories that contained only one update, 38 updated ICS- CERT advisories contained two updates, 19 updated ICS-CERT advisories contained three updates, seven updated ICS-CERT advisories contained four updates, two updated ICS-CERT advisories contained five updates, no updated ICS-CERT advisories contained six, seven, or eight updates. “ICSA-15-125-01B, Hospira LifeCare PCA Infusion System Vulnerabilities (Update B)” contained nine updates.
Second, the updates increased the number of vulnerabilities and the degree of vulnerability. The updates doubled the number of identified vulnerabilities, adding four vulnerabilities above and beyond the original four. Additionally, the updates indicated that all but one of the eight vulnerabilities could be exploited remotely. Moreover, the updates stated that, “An attacker with low skill would be able to exploit all but two of these vulnerabilities; the remaining vulnerabilities would require high skill to exploit.” The National Vulnerability Database (NVD) provides Common Vulnerability Scoring System (CVSS) scores on a scale from zero to ten for almost all known IT vulnerabilities. The NVD provides severity rankings of “Low,” “Medium,” and “High” in addition to the numeric CVSS scores, which are qualitative rankings that directly correspond to the numeric CVSS scores. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9. Vulnerabilities are labeled “Medium” severity if they have a base CVSS score of 4.0-6.9. Vulnerabilities are labeled “High” severity if they have a CVSS base score of 7.0-10.0. Seven out of the eight vulnerabilities identified in the update were assigned a CVSS score. Five of those seven vulnerabilities were labeled high severity.
Third, the updates introduced two new characters to the story. The update stated, “Independent researcher Billy Rios has identified vulnerabilities in Hospira’s LifeCare PCA Infusion System. . . . Kyle Kamke of Ramparts, LLC has independently identified an uncontrolled resource consumption vulnerability in Hospira’s Symbiq Infusion System.” Billy Rios posted on his blog about his ongoing investigation of the cybersecurity vulnerabilities of Hospira’s infusion systems, “Hospira Plum A+ Infusion Pump Vulnerabilities.”
Why are cyber research firms and independent researchers suddenly at the center of all this breaking news about medical device cybersecurity? Jack Detsch explained why in his December 7, 2016, article in the Christian Science Monitor, “The legal exemption making life easier for ethical hackers.” Mr. Detsch noted that in 1998 the Digital Millennium Copyright Act (DMCA) made research on medical devices and many other wireless and internet-connected electronics without the manufacturer’s consent a crime. In October 2016, the Library of Congress, with the support of the FDA, initiated a three-year exemption to the DMCA’s criminalization of unauthorized research on medical devices. The exemption allows ethical hackers, also known as white-hat hackers, to perform “good-faith security research” on medical devices and many other wireless and internet-connected electronics. Katie Moussouris, chief executive officer of Luta Security, a company that contracts with governments and large organizations for vulnerability disclosure programs and bug bounties, described the DMCA exemption as, “essentially saying, we’re now able to shine the sunlight of disinfectant on devices we weren’t able to touch before.”
Perhaps due in part to the DMCA exemption, medical device cybersecurity vulnerabilities are becoming a widely known problem. I used Hospira’s infusion pumps as an example because they are the subject of FDA and ICS-CERT advisories. But, news of cybersecurity vulnerabilities is beginning to come from outside these two agencies. For example, on October 17, 2016, Fortune published an article from Reuters news service “St. Jude Medical Will Form a Cybersecurity Board After Heart Device Defect” describing medical device maker St. Jude Medical’s heart devices and noting that these devices are “riddled” with cybersecurity vulnerabilities. The FDA launched an investigation in August 2016 “after a short-seller Muddy Waters and cyber research firm MedSec Holdings” disclosed the alleged vulnerabilities. In another example, Jack Detsch reported that Essentia Health, “found that many Bluetooth-enabled defibrillators and X-ray machines were rife with software vulnerabilities.”
The breadth of the medical device cybersecurity problem was the subject of Jon Markman’s November 29, 2016, article for Forbes, “Connected Medical Devices Cause Cybersecurity Blues” about “a security hole” in Johnson & Johnson’s Animas One Touch Ping connected insulin pump. He connected this to the rising concern about the internet of things (IOT) as the “new frontier of attack.” He explained that, “when health care companies began connecting devices to networks the threat of hackers seemed remote.” And, now many devices use out of date security software. This means an infected device on a health care network could be used to commandeer the device, steal data – including patient records – or simply hide, ready to be summoned at a later date for, as an example, a large distributed denial of service (DDoS) attack, like the DDoS attack in October 2016 that simultaneously compromised tens of millions of Internet addresses and took down many websites. He quoted Pedro Abreu, chief strategy officer at ForeScout, “Health care organizations have been very focused on protecting traditional IT, spending millions of dollars to secure its systems. But it leaves an open door with IOT devices – although it’s meant to be a secure system.”
The story of the ICS-CERT’s updated advisory about the cybersecurity vulnerabilities of Hospira’s infusion systems should serve as a wakeup call for the FDA, particularly its Center for Devices and Radiological Health. The FDA should do more than issue guidance for pre-market and post-market cybersecurity best practices for medical device manufacturers and users. If I had to suggest priorities for the CDRH they would be:
(1) Timely update FDA advisories when the ICS-CERT updates related advisories. The FDA Safety Communication issued May 13, 2015, regarding the LifeCare PCA3 and PCA5 Infusion Pump Systems was never updated to reflect the additional number and severity of cybersecurity vulnerabilities. The FDA Safety Communication regarding the Symbiq Infusion system was not issued until July 31, 2015, 50 days after the ICS-CERT update.
(2) Do more to ensure that the significance of the information in ICS-CERT advisories is conveyed to the medical community. To ensure that healthcare providers provide sufficient support to their IT departments, the severity of medical device cybersecurity vulnerabilities needs to be conveyed in language healthcare providers can understand from sources healthcare providers trust and monitor.
(3) Continue to support and cultivate independent research on medical device security by advocating for permanent decriminalization.
By Sarah Kelman, JD, and the experts and editors at Medical Law Perspectives.
See the 2016 FDA Announcement regarding its draft guidance on post-market management of cybersecurity in medical devices, “FDA outlines cybersecurity recommendations for medical device manufacturers.”
For more details about the FDA Safety Alert regarding the cybersecurity vulnerabilities of Hospira’s Symbiq Infusion System, see the Scalpel Weekly News, August 17, 2015, “Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System.”
For more details about the FDA Safety Alert regarding the cybersecurity vulnerabilities of Hospira’s LifeCare PCA3 and PCA5 infusion pump systems, see the Scalpel Weekly News, May 25, 2015, “Infusion Pumps Have Cybersecurity Vulnerabilities.”
See the ICS-CERT Advisory regarding Hospira’s LifeCare PCA3 and PCA5 infusion pump system, “Hospira LifeCare PCA Infusion System Vulnerabilities (Update B).”
For more details about the 2014 FDA recommendations for the management of medical device cybersecurity risks, see the Scalpel Weekly News, October 13, 2014, “FDA Recommendations for Management of Medical Device Cybersecurity Risks.”
For more details about the 2013 FDA Medical Device Safety Communication on cyber security for medical devices and hospital networks, see the Scalpel Weekly News, June 24, 2013, “Cybersecurity Guidelines for Medical Devices to Prevent Cyberattack Failures.”
For news articles regarding the cybersecurity of medical devices see:
Jack Detsch, The legal exemption making life easier for ethical hackers, Christian Science Monitor (December 7, 2016).
Jon Markman, Connected Medical Devices Cause Cybersecurity Blues, Forbes (November 29, 2016).
St. Jude Medical Will Form a Cybersecurity Board After Heart Device Defect, Fortune (October 17, 2016).
To Sign Up for the FREE Scalpel Weekly News giving you the latest FDA, CDC, and DOJ alerts, warnings, and announcements, and curated medical litigation cases, CLICK HERE.