cybersecurity of medical devices and the impact on … · cybersecurity of medical devices and the...

HCCA Research Compliance Conference May 31-June 3, 2015

1

Polsinelli PC. In California, Polsinelli LLP

Cybersecurity of Medical

Devices and the Impact on

Research

June 2015 Ken Briggs, Esq. Polsinelli PC, Phoenix [email protected]

602.650.2042

One East Washington St., Suite 1200

Phoenix, AZ 85004-2568

real challenges. real answers. sm

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

© 2015 Polsinelli PC. In California, Polsinelli LLP.

Polsinelli is a registered mark of Polsinelli PC

2


2


Concepts to Cover

Orientation

What is cybersecurity?

– What are the threats?

Key Players

Regulations

– Medical Devices

– Cybersecurity

Research Considerations

3


4

Orientation


3


Impact on Research

Bringing medical devices to market

Allocating liability among the

manufacturer, physician/PI, hospital, and

patient

Regulatory Response

5


What is a Medical Device?

The FDA defines a medical device as: – an instrument, apparatus, implement, machine, contrivance,

implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:

recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,

intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or

intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.

6


4


Medical Devices

Can be big/small and (relatively) simple

7


Medical Devices

Can be big/small and complex

8


5


Medical Devices

What about these?

9


Medical devices become far more complex

when they:

– Connect with other devices

– Can be modified/personalized

– Depend on user/third-party inputs

– Need advanced power sources

10


6


Medical Device Connectivity

So this…

Quickly becomes this…

11



12

Device

Hospital

Patient

Manufacturer Physician

Others?

Home

Internet

Physicians with

other devices

Other patients

Other devices


7



13

Device

Hospital

Patient

Manufacturer Physician

Others?


14

Cybersecurity


8


What is Cybersecurity?

No fixed definition of cybersecurity

– The process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.

FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2, 2014)

– The ability to protect or defend the use of cyberspace from [An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information].

CNSSI-4009, CNSSI-4009

15


Threat Overview

Malware, denial-of-service, unauthorized access, theft/loss, others

Consequences of incident – Complete or partial malfunction

Does not work at all

Does not work in the intended way

– Compromise

Pivot device

Patient/financial information

Intentional vs. Unintentional – What does it matter?

16


9


Threat Overview

Malware/Virus – A computer program that can replicate itself, infect a computer

without permission or knowledge of the user, and then spread or propagate to another computer.

– Software that compromises the operation of a system by performing an unauthorized function or process.

DDOS – A denial-of-service (DoS) or distributed denial-of-service (DDoS)

attack is an attempt to make a machine or network resource unavailable to its intended users.

– Commonly used to shut down or interrupt a network

Unauthorized access – Any access that violates the stated security policy.

Others? Theft? Loss?

17


Source of Threats

Threat actors – National Governments

– Terrorists

– Industrial Spies and Organized Crime Groups

– Hacktivists

– Hackers

– GAO Threat Table

Users/Patients

Manufacturer/Developer

Multi-Party Failures

What everyone talks about

Where most of the issues

do/will originate

18


10


Malicious Threat Lifecycle

Phase 1—Reconnaissance – Adversary identifies and selects a target(s).

Phase 2—Weaponize – Adversary packages an exploit into a payload designed to execute on the targeted

computer/network.

Phase 3—Deliver – Adversary delivers the payload to the target system(s).

Phase 4—Exploit – Adversary code is executed on the target system(s).

Phase 5—Install – Adversary installs remote access software that provides a persistent presence within

the targeted environment or system.

Phase 6—Command and Control – Adversary employs remote access mechanisms to establish a command and control

channel with the compromised device.

Phase 7—Act on Objectives – Adversary pursues intended objectives (e.g., data exfiltration, lateral movement to

other targets).

Source: NIST Special Publication 800-150 (Draft), Oct. 2014

19


Malicious Threat Lifecycle

20

Phase 1 Device weaknesses are observed and researched

Phase 2 Malicious code/software/virus developed

Phase 3 Package is delivered to the target through one or

more devices

Phase 4 Software on device is executed or manipulated

Phase 5 Device or software on device is told what to do

Phase 6 Information is collected; device is compromised, shut down/broken

Intentional vs. Unintentional?


11


Unintentional Threat

Malfunction or unintentional consequence

of design/code/software

– Code is not properly written or conflicts with

new code

Device or information on device is

compromised

– Code does not save all the information

– Misprints output directions

– Instructs devices to perform unintended

function 21


Threat Environment

“There is no such thing as a threat-proof medical device.” – Suzanne Schwartz, M.D., MBA, FDA’s Center for Devices and Radiological Health.

“Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.” – Dr. Kevin Fu, member, NIST Information Security & Privacy Advisory Board

22


12


Examples of Threats

The U.S. Department of Homeland Security is investigating nearly two dozen cases of suspected cybersecurity flaws in medical devices.

Beth Israel Deaconess Medical Center in Boston reported 664 pieces of medical equipment running on outdated operating systems.

Boston Children’s was the subject of a DDOS hacktivist attack where it experienced nearly 40 times what its usual inbound traffic would have been.

– There were also direct attacks on internet-facing ports.

Researchers (Billy Rios and Terry McCorkle) discovered a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.

Software failures were behind 24 percent of all the medical device recalls in 2011.

There were 429 device recalls for “Software Design” during FY 2010 and 2012.

At the DEFCON hacking conference Jerome Radcliffe remotely manipulated the dosage levels delivered by an insulin pump from up to 300 feet away.

23


24

KEY PLAYERS


13


Key Players

• Prescribe, purchase, research

• Recipients and users

• Not merely “bystanders”

• Purchase, develop, research

• Develop devices

• Financial interest in success=sales

Manufacturers Hospitals

Physicians Patients

25


26

KEY REGULATIONS


14


Key Regulations

Health Insurance Portability and Accountability Act of 1996

FDA – medical device manufacturing requirements

– FDA research regulations

Common Rule – Protection of human subjects

Consumer protection – FTC and state attorneys general

– “stops unfair, deceptive and fraudulent business practices”

…civil lawsuits

27


Current Regulatory Process

Step One: Device Classification – Class I, II, III

Step Two: Identify Appropriate Path – 510(k) (Premarket Notification)

– PMA (Premarket Approval)

– De Novo (Evaluation of Automatic Class III Designation)

– HDE (Humanitarian Device Exemption)

Step Three: Prepare Information for Submission – Design Controls, Nonclinical Testing, Clinical

Evidence, Labeling

Step Four: Send Information to FDA

Step Five: Complete Registration and Device Listing

28


15


Development of Medical Devices

FDA classification – Class I, Class II, Class III

– Investigational Device Exemption (IDE)

Regulatory review – Premarket Approval (PMA)

High risk devices that pose a significant risk of illness or injury, or devices found not substantially equivalent to Class I and II predicate through the 510(k) process.

More involved and includes the submission of clinical data to support claims made for the device.

– Premarket notification (510k)

Demonstrate that the device is substantially equivalent to one approved … : (1) before May 28, 1976; or (2) to a device that has been determined by FDA to be substantially equivalent.

– Quality Control

Post-approval studies or reports

Adverse events, MAUDE

Mobile devices – to be used as an accessory to a regulated medical device; or

– to transform a mobile platform into a regulated medical device.

29


Device Classes

Class I

Most (74%) are exempt from

510(k)

Low risk

47% of devices

Class II

Most require 510(k)

Higher risk

43% of devices

Class III

Most require PMA

Generally highest risk

Subject to the highest level of

regulatory control.

30


16


Medical Devices

Premarket Notification (510(k)) – Made to FDA to demonstrate that the device to be

marketed is at least as safe and effective, that is, substantially equivalent, to a legally marketed device (21 CFR 807.92(a)(3)) that is not subject to PMA.

– Requires demonstration of substantial equivalence to another legally U.S. marketed device.

Substantial equivalence is established with respect to intended use, design, energy used or delivered, materials, chemical composition, manufacturing process, performance, safety, effectiveness, labeling, biocompatibility, standards, and other characteristics, as applicable.

31


Medical Devices

Premarket Approval (PMA) – PMA is the FDA process of scientific and regulatory review to evaluate

the safety and effectiveness of Class III medical devices.

– Four-Step Process at FDA

administrative and limited scientific review for completeness;

in-depth scientific, regulatory, and Quality System;

review and recommendation by the appropriate advisory committee; and

final deliberations/decision.

– Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.

– Requires documentation to demonstrate the safety and effectiveness of the device.

– If the device contains software or is controlled by a computer, the submission should contain documentation of software development and validation appropriate to the level of risk of the software.

32


17


Investigational Device Exemption (IDE)

An investigational device exemption (IDE)

allows the investigational device to be

used in a clinical study in order to collect

safety and effectiveness data.

Clinical studies are most often conducted

to support a PMA.

– Only a small percentage of 510(k)s require

clinical data to support the application.

33


Investigational Device Exemption (IDE)

Clinical evaluation of devices that have not been cleared for marketing requires:

– an investigational plan approved by an IRB; approval by FDA if study involves a significant risk device;

– informed consent from all patients;

– labeling stating that the device is for investigational use only;

– monitoring of the study and;

– required records and reports.

Good Clinical Practices (GCP) must be complied with while conducting a clinical study.

34


18


Current Regulatory Process

Step One: Device Classification – Class I, II, III

Step Two: Identify Appropriate Path – 510(k), PMA, De Novo, HDE

Step Three: Prepare Information for Submission – Design Controls, Nonclinical Testing, Clinical

Evidence, Labeling

Step Four: Send Information to FDA

Step Five: Complete Registration and Device Listing

35


Preparing Information for FDA

Step Three: Prepare Information for Submission

– Design Controls.

Design validation

Includes software validation and risk analysis, where appropriate.

– Nonclinical Testing

– Clinical Evidence

– Labeling

36


19


Design Controls

Scope – All manufacturers (including specification developers) of Class II

and III devices and select Class I devices are required to follow design controls [§ 820.30] during the development of their device.

The design control requirements are basic controls needed to ensure that the device being designed will perform as intended when produced for commercial distribution.

21 C.F.R. § 820.30(g) – Design validation shall include software validation and risk

analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the [design history file].

37


Recent FDA Guidance

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2014). – This guidance provides recommendations to consider and information to

include in FDA medical device premarket submissions for effective cybersecurity management.

– Applicable devices that contain software as well as software that is a medical device

– Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.

– Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).

– The Agency recommends that medical device manufacturers consider the following cybersecurity framework core functions to guide their cybersecurity activities: Identify, Protect, Detect, Respond, and Recover.

38


20


Recent FDA Guidance

Design validation shall include software validation and risk analysis, where appropriate.

The approach should appropriately address the following elements: – Identification of assets, threats, and vulnerabilities;

– Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;

– Assessment of the likelihood of a threat and of a vulnerability being exploited;

– Determination of risk levels and suitable mitigation strategies;

– Assessment of residual risk and risk acceptance criteria.

39


Recent FDA Guidance

Identify and Protect – The extent to which security controls are needed will depend on the

device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.

Detect, Respond, and Recover – Implement features that allow for security compromises to be detected,

recognized, logged, timed, and acted upon during normal use;

– Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event;

– Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised;

– Provide methods for retention and recovery of device configuration by an authenticated privileged user.

40


21


Recent FDA Guidance

In the premarket submission [not just PMA], manufacturers should provide the following information related to the cybersecurity of their medical device:

– 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:

A specific list of all cybersecurity risks that were considered in the design of your device;

A specific list and justification for all cybersecurity controls that were established for your device.

– 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;

– 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity.

– 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and

– 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).

41


Impact of FDA Guidance

Application to Research

– Manufacturers may also consider applying the

cybersecurity principles described in this

guidance as appropriate to Investigational

Device Exemption submissions and to

devices exempt from premarket review.

Documentation

Cost

42


22


Weaknesses in Current Process

Guidance is weak and the potential

consequences are very high

Ad hoc reviews of cybersecurity are

insufficient

Transfer of responsibilities when the

product goes to market is unclear

Significant, overlapping liability

Gaps in the regulation

43


Regulations – Gaps?

HIPAA—patient information

– What if a device is accessed but patient

information is not accessed or breached?

FDA—safety efficacy of medical devices

Common Rule—protection of human

subjects in research

FTC—consumer protection

44


23


Natural Path of Regulation

Current regulation

Industry modification

Technology & industry

Improvement

Regulatory ambiguity

Soft guidance

Hard guidance

Revised regulation

You are here

45


Other Regulations: HIPAA

Application

– Does not typically apply to manufacturers

– Applies to covered entities: hospitals,

physicians

Remember FDA definition of cybersecurity

HIPAA obligations must be observed even

during research

46


24



HIPAA Risk Analysis – Conduct an accurate and thorough assessment of the potential risks

and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308.

Required Considerations [OCR Security Rule Guidance 2010] – An organization must identify where the e-PHI is stored, received,

maintained or transmitted.

– Organizations must identify and document reasonably anticipated threats to e-PHI.

– Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.

A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation.

47



Research authorization requirements – When a covered entity obtains or receives a valid

authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. 45 C.F.R. § 164.508.

Breach of Unsecured PHI – “[T]he acquisition, access, use, or disclosure of

protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information.”

– A covered entity must notify the individual(s), the OCR, and possibly the media.

48


25


Allocation of liability in research

Regulatory, Civil, Contract, Costs

(development/research)

How is liability identified and allocated?

– Contracts, clearer regulation, transparent

guidance, case law

– Unified industry

49



Hospitals and Manufacturers

Informal FDA guidance to hospitals and manufacturers: – Recently, the FDA has become aware of cybersecurity vulnerabilities

and incidents that could directly impact medical devices or hospital network operations, including:

Network-connected/configured medical devices infected or disabled by malware;

The presence of malware on hospital computers;

Uncontrolled distribution of passwords;

Failure to provide timely security software updates and patches to medical devices;

Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access.

“The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.”

50


26




FDA recommendations to device manufacturers: – Take steps to limit unauthorized device access to trusted users

only[sic].

– Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.

– Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”

– Provide methods for retention and recovery after an incident where security has been compromised.

Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

51




FDA recommendations to health care facilities: – Evaluate your network security and protect your hospital system.

– Restrict unauthorized access to the network and medical devices connected to the network.

– Make certain appropriate antivirus software and firewalls are up-to-date.

– Monitor network activity for unauthorized use.

– Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.

– Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device.

– Develop and evaluate strategies to maintain critical functionality during adverse conditions.

52


27



Understanding Liability

Will the Manufacturer notify the hospital of cybersecurity issues?

What if the device is breached or used to breach the hospital’s network?

What if the hospital was notified of an update and does not perform it (or doesn’t perform it accurately)?

What if a device stops functioning and a patient is physically injured?

What if patient information is taken directly from the device?

53


Incident Response

Source: Recommended Practice: Developing

an Industrial Control Systems Cybersecurity

Incident Response Capability (Oct. 2009), ICS-

CERT

Activities of hospital, PI, and

Manufacturer overlap

54


28



Key Contract Terms

Duties and Responsibilities

Confidential or Proprietary Information

Indemnification – Scope of indemnification

– Extend of control (Investigations, lawsuits)

Compensation for Subject Injury

Insurance – Does it cover breach issues?

Reporting obligations – From hospital/PI to Manufacturer

Adverse event; device deficiency

– From Manufacturer to hospital/PI (e.g., security discoveries)

55


Indemnification

What costs, claims, damages, etc. of the

hospital and/or PHI will be paid for by the

manufacturer?

HIPAA, injury, privacy…

56


29



Due Diligence

Information requested from the manufacturer

Communication to patients

Training provided by manufacturer

Updated security risk analysis

Certificates of insurance

IT contacts

Other

57



Dedicated Personnel

Understand the devices

Understand the liability and incentives

through the research process

Has knowledge of the transfer and use

issues from the manufacturer to the

patient

58

cybersecurity of medical devices and the impact on … · cybersecurity of medical devices and the...

Documents