Cyber Risks Mounting for Networked Medical Devices

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Recent cyberattacks that hit hospitals and pharmaceutical companies spotlight the risks of using medical devices that connect to the internet and transmit sensitive data.

“These devices contain large amounts of sensitive patient data but don’t have proper or updated security controls to safeguard this data,” Wendy Wu, vice president at Los Angeles-based Stroz Friedberg, a cybersecurity risk management company, told Bloomberg BNA Aug. 18. Networked medical devices can include everything from insulin pumps to bedside units monitoring patient vital signs. Affected companies include Johnson & Johnson, Siemens AG, and Medtronic.

June’s Petya ransomware attack and May’s WannaCry attack have raised industry awareness of the risks facing networked medical devices. The Petya attack locked up data at New Jersey-based pharmaceutical manufacturer Merck and shut down phones and computers at DLA Piper, a law firm with offices throughout the world, while the WannaCry attack crippled more than 16 British hospitals and 200,000 computers in 150 countries.

Sen. Richard Blumenthal (D-Conn.) July 27 introduced the Medical Device Cybersecurity Act ( S. 1656), which would require the Department of Health and Human Services to prepare a “report card” on cyber risks for every networked medical device.

The bill was referred to the Senate Committee on Health, Education, Labor, and Pensions.

Wu, a former assistant U.S. attorney in the U.S. Attorney’s Office for the Central District of California, said the Senate bill might put an additional burden on manufacturers, “but if done properly, it could reduce the risk of cyberattacks and data breaches, which in turn should reduce the legal, financial, and reputational risk to the manufacturers and medical service providers.”

“Physicians and other service providers in the health-care industry want the assurance that the medical devices they’re relying on to help patients meet industry security requirements and won’t expose patients’ sensitive health and personal data,” Wu said.

The Advanced Medical Technology Association wasn’t available to comment. AdvaMed represents roughly 300 companies that produce medical devices. Siemens and Medtronic didn’t respond to requests for comment.

Arms Race

Device manufacturers have been aware of cyber risks for some time, but the risks are potentially increasing in severity as more implantable devices become connected to the internet, Michelle Kisloff, a health-care attorney with Hogan Lovells in Washington, told Bloomberg BNA Aug. 18.

“There continues to be an arms race between cyber attackers and defenders,” Kisloff said.

While the vast majority of cyberattacks remain financially motivated, the device industry is worried about potential attacks focused on causing patient harm, Kisloff said.

The Blumenthal bill is unlikely to gain much support from the device industry, Kisloff said.

“My suspicion is that most of the device industry will oppose the bill, as it creates new regulatory compliance burdens, and the notion of a public report card will be unpalatable,” Kisloff said.

A public report card that offers details on a company’s risk assessment would seem to be counterproductive, Kisloff said.

Legislation isn’t the answer when it comes to cyberattacks, Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg BNA Aug. 17.

“The problem is much less about the security of networked devices and more on user behavior and end point practices,” Zick said.

Device Security

The strength of medical device security has been a long-running concern of the industry, but the WannaCry attack exposed the issue to the public, Eric Fader, a health-care attorney with Day Pitney in New York, told Bloomberg BNA Aug. 17.

Because any device connecting to the internet is potentially at risk for attack—as are the personal data on that device—the need for something like the Medical Device Cybersecurity Act is high, Fader said.

“If we were to chart the number and severity of cyberattacks over time, I think we’re still near the bottom of the hockey stick unless manufacturers stop marketing vulnerable products and users get smarter regarding security compliance, including controlling access and installing necessary updates and patches on an ongoing basis,” Fader said.

Other steps device companies can take to protect against cyberattacks include conducting outside penetration tests, Hogan Lovells’s Kisloff said. The tests involve hired hackers who attempt to break into a company’s products.

Companies should also consider sharing cyber risk information with their peers, as well as developing a data back-up plan in case of a ransomware attack, Kisloff said.

Transparency

The Blumenthal bill may be welcomed by hospitals and providers, because they’re likely to want to know of potential security risks prior to allowing a device onto their network, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA Aug. 17.

“While this is an added burden on manufacturers I would argue that it is information they already have and should be sharing,” Chestler said, referring to the proposed public report cards.

The awareness of potential cybersecurity threats has grown since the WannaCry attack, Chestler said, and Congress has signaled it’s ready to address security issues not mandated by the Health Insurance Portability and Accountability Act.

“It would be helpful if manufacturers would affirmatively begin to develop their own model to avoid a government mandate,” Chestler said.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law