Mobile Health Devices and Cybersecurity: Federal Guidance for Management of Threats in Medical Devices

By Kathryn T. Allen and Lauren Z. Groebe

With new technology comes new security concerns. But when that new technology is in the medical field, the cybersecurity vulnerabilities can be particularly devastating.

The Department of Homeland Security is currently investigating two dozen medical devices and other pieces of health technology equipment for potential cybersecurity vulnerabilities. In the wake of two computer bugs that infiltrated and wreaked havoc on hospital computer systems around the country, Shellshock and Heartbleed, the health care community is especially sensitive to cybersecurity breaches and the vast amount of financial and reputational damage such breaches can cause.

mHealth – the Positives and Negatives

Mobile medical health ("mHealth") is the generation, aggregation and dissemination of health information through mobile and wireless devices. Such devices (like medicine infusion pumps or implantable heart devices) benefit patients because they allow around-the-clock monitoring of the patient's health without tethering them to a clinical setting. However, industry watch groups have long warned that cybercriminals could take over such devices and extract valuable health data stored in them or worse, cause actual harm to patients.

While there haven't been any documented breaches to these types of devices thus far, it is clear that mHealth devices pose particular security concerns for patients, health care providers and manufacturers. Cybersecurity vigilance, oversight and appropriate management are the best ways to reduce the risk to patients and health care providers by decreasing the likelihood that device functionality is intentionally (or unintentionally) compromised.

FDA Guidance

In response to these particular concerns, the Food and Drug Administration ("FDA"), which regulates the sales of mHealth devices, recently released guidance for both the manufacturers and users of such devices. Although the guidance sets forth only voluntary standards, companies wishing to minimize potential liability in enforcement actions and/or civil litigation should take notice. The FDA's standards are viewed by many industry observers as the new benchmark against which personal health information ("PHI"), breach-preparedness and response efforts may be measured. Failing to analyze the best practices and proactively implement applicable standards may leave health care companies and manufacturers open to accusations from regulators, class action plaintiffs and even shareholders for failing to satisfy this new standard of care.

For Manufacturers - The FDA recommends that medical device manufacturers consider the following cybersecurity framework to guide their cybersecurity activities:

1. Identify and Protect
The extent to which security controls are needed will depend on the device's intended use, the type of data it culls, where it is used and by whom it is accessed - for example, use outside of a health care facility, and the risk of patient harm due to a cybersecurity breach.

Limit Access to Trusted Users Only

  • Limit access to devices through the authentication of users (e.g. user ID and password, smartcard, biometric)
  • Use automatic timed methods to terminate sessions within the system where appropriate for the use environment
  • Where appropriate, employ a layered authorization model by differentiating privileges based on the user role (e.g. caregiver, system administrator) or device role

Ensure Trusted Content

  • Restrict software or firmware updates to authenticated code (e.g. code signature verification)
  • Use systematic procedures for authorized users to download software and firmware updates from the manufacturer
  • Ensure capability of secure data transfer to and from the device, and when appropriate, use methods for encryption

2. Detect, Respond and Recover

  • Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use
  • Develop and provide information to the end users concerning appropriate actions to take upon detection of a cybersecurity event
  • Implement device features that protect critical functionality, even when the device's cybersecurity has been compromised
  • Provide methods for retention and recovery of device configuration by an authenticated, privileged user

For Health Care Providers - The following are the types of documentation that a health care provider can ask a manufacturer for that will help the health care provider judge the efficacy of the manufacturer's management and implantation of a quality cybersecurity control system:

  • Design considerations pertaining to intentional and unintentional cybersecurity risks associated with the device, including:
    • A specific list of all risks that were considered in the design of device
    • Specific list and justification of all cybersecurity controls that were established for device
  • A matrix that links actual cybersecurity controls to the risks that were determined
  • A summary of manufacturer's plan for providing validated software updates and patches for the lifecycle of the device (to ensure its safety and efficacy)
  • Summary of controls that are in place to assure device software will maintain its integrity (e.g. withstand malware)
  • Device instructions and product specifications related to cybersecurity controls (e.g. anti-virus software, use of firewall)

And because no device is fool-proof, health care providers and manufacturers should review and reevaluate their cyber insurance policy each year as this can help protect them from paying large fines entirely on their own in the event a breach occurs and HIPAA penalties are levied.