Controlling for Cybersecurity Risks of Medical Device Software

Kevin Fu and James Blum

About the Authors Editor‘s Note: This article originally appeared in Communications of the ACM (2013;56[10]21–3; doi: 10.1145/2508701). Reprinted with permission. Kevin Fu, PhD, is an associate professor of While computer-related failures are known to Measuring Medical Device Security: computer science play a significant role in deaths and injuries Quantitative or Qualitative? and engineering involving medical devices reported to the U.S. Between years 2006 and 2011, 5,294 recalls and at the University of Food and Drug Administration (FDA),1 there is approximately 1.2 million adverse events of Michigan in Ann Arbor, MI. He also is a Sloan research no similar reporting system that meaningfully medical devices were reported to the FDA’s fellow. E-mail: [email protected] captures security-related failures in medical Manufacturer and User Facility Device devices. Experience (MAUDE) database.1 Almost 23% of James Blum, MD, Medical device software must satisfy system these recalls were due to computer-related is chief of critical properties, including safety, security, reliability, care and surgical failures, of which approximately 94% presented specialty anesthesia resilience, and robustness, among others. This medium to high risk of severe health conse- at Emory University column focuses on the challenges to satisfying quences (such as serious injury or death) to Hospital in a security property for medical devices: post- patients.1 For security incidents on medical Atlanta, GA, and market surveillance, integrity and availability, devices, no systematic national reporting assistant professor of anesthesiology and regulation and standards. system exists.3 Yet, individual hospitals know in the School of Medicine at Emory University in Atlanta, GA. Medical devices depend on software for of hundreds of security incidents on medical patient care ranging from radiation therapy devices.2 planning to pharmaceutical compounding to For instance, the FDA MAUDE does not automated diagnosis of disease with mobile capture adverse events such as lack of or medical apps. Meanwhile, the medical commu- impaired availability of function when malware nity has observed an uptick in reported security infects a medical device’s operating system. vulnerabilities in medical device software—rais- FDA’s own disclaimer explains that the MAUDE ing doubts of cybersecurity preparedness. It database is qualitative rather than quantitative. should come as little surprise that security risks MAUDE is incomplete with underreporting and in medical devices “could lead to patient harm” reporting bias. as recently explained by the chief scientist at the Imagine the reaction of a clinician using a FDA Center for Devices and Radiological high-risk pregnancy monitor that begins to Health.2 Device manufacturers and healthcare perform more slowly because of a Conficker providers ought to more carefully and deliber- infection. Would the clinician report a malware ately consider security hazards during the infection? Likely not. Admitting to playing a phases from design to use of medical devices. role in accidentally infecting a medical device

38 Horizons Spring 2014 © Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited. Managing Risk would likely lead to consequences ranging from persist on medical devices? disciplinary action to loss of reputation. Thus, We observe that one of the cultural chal- the actual incidence of security failures leading lenges to improved cybersecurity and t to healthcare delivery failures may be signifi- herefore safety and effectiveness is a lifecycle cantly greater than the available statistics mismatch. For instance, operating system suggest. To have a better understanding of software with production lifecycles measured medical device security, the bad-news diode in months does not match well with a medical must be shorted. Reporting must be incentiv- device having production lifecycles measured ized rather than penalized. in years or decades. The equivalent of a transformer for impedance matching does not Consequences of Cybersecurity yet exist for safely connecting these different Unpreparedness for Medical Devices: production cultures. To have better Integrity and Availability Risks of depending on unsupported software understanding of If you watch television crime dramas, you may has parallels to depending on a device where be duped into thinking that hacking of medical parts are no longer manufactured or repaired. medical device security, devices is the number-one risk for public health Medical devices still rely on the original the bad-news diode today. You would be wrong. The most pressing versions of Windows XP (circa 2001). In must be shorted. risks are much less sexy: the unavailability of October 2012, the Beth Israel Deaconess Reporting must be patient care and the lack of health data integrity. Medical Center in Boston reported to the incentivized rather Here, we highlight a few examples that illus- NIST Information Security and Privacy trate the consequences of unavailability and Advisory Board that the hospital depends on than penalized. lack of integrity. 664 Windows-based medical devices primarily because of supply chain issues. Of the 664 Availability of Software to Deliver computers, 600 devices run the original Safe and Effective Patient Care version of Windows XP. There are no Service Pack 1 (SP1) machines, but there are 15 SP2 Interventional radiology suites and cardiac machines and 1 SP3 machine. One MRI catheterization labs contain a number of machine still runs Windows 95. Security computer systems to perform time-sensitive support for SP1, SP2, and SP3 ended on cardiac procedures, such as angioplasty, to open October 10, 2006, July 13, 2010, and April 14, blocked arteries for improved outcomes in 2014, respectively. In many cases, a medical patients suffering acute heart attacks or strokes. device manufacturer does not provide an According to The Wall Street Journal,2 effective way for hospitals to upgrade to a Department of Veterans Affairs (VA) supported versions of operating systems. Today, catheterization laboratory in New Jersey was healthcare providers are told to maintain a temporarily closed in January 2010. Malware secure system from insecure devices.4 had infected the computer systems. The consequence? Patients do not receive the safe Integrity: High-risk Pregnancy Monitor and effective care they deserve when malware Infected With Malware causes unavailability of care. The VA has experienced hundreds of malware infections A medical device infected with malware can in medical devices such as X-ray machines stray from its expected behavior. For instance, and lab equipment made by well-known, malware can cause a device to slow down and reputable companies. miss critical interrupts. When this happened on a high-risk pregnancy monitor, healthcare Old Software, Old Malware professionals could no longer trust the integrity of the sensor readings and depended on Conficker was detected on 104 devices at the backup methods.5 James A. Haley Veterans Hospital in Tampa.2 The affected devices included an X-ray Availability: Antivirus Mishap machine, mammography, and a gamma camera Disables Hospital Workflow for nuclear medicine studies. Conficker is a relatively old piece of malware with well-known Antivirus software can help mitigate certain mitigation strategies. Why does old malware cybersecurity risks, but they also introduce their

Horizons Spring 2014 39 © Copyright AAMI 2014. Single user license only. Copying, networking, and distribution prohibited. Managing Risk

own risks. On April 21, 2010, a third of the International Role of Standards Bodies, hospitals in Rhode Island were forced to Manufacturers, and Clinical Facilities “postpone elective surgeries and stop treating Standards bodies are taking actions to patients without traumas in emergency rooms” improve medical device cybersecurity. For because an automated antivirus software instance, the Association for the Advancement update had accidentally misclassified a critical of Medical Instrumentation (AAMI) recently Windows DLL as malicious. The problem formed a working group on medical device with antivirus software is that by definition, security that includes engineers from manufac- antivirus software is a postmarket afterthought turing and regulators. AAMI has already to make up for design flaws in the device. released standards specific to network-related Antivirus software does not remove the need to cybersecurity risks (ANSI/AAMI/IEC-80001). By addressing security incorporate security into the early design of International harmonization of cybersecurity and privacy risks at the medical devices. guidance is likely on the horizon, given that phrases such as “security patches” appear in concept phase, medical Regulation: FDA Actions proposals from the International Medical devices can remain safe On Cybersecurity Device Regulators Forum. and effective despite According to the FDA mission statement, the the cybersecurity agency holds responsibility for protecting Recommendations to Improve threats endemic to public health by assuring the safety, efficacy, Medical Device Cybersecurity and security of medical devices. In June of this • Manufacturers should consider cybersecu- computing. year, the FDA issued draft guidance on cyberse- rity during the design phase of the medical curity6 and gave examples of what FDA device. Security is difficult to bolt on after the reviewers would expect to see during premarket fact and is most effective when designed in. review. The draft guidance intentionally does • Incentivize user facilities (e.g., hospitals) to not prescribe any particular approach or report security incidents and vulnerabilities technology but instead recommends that that could lead to harm. This activity will help manufacturers consider cybersecurity starting to gain insight into hazards that affect integ- at the concept phase of the medical device. rity and availability of medical devices. The FDA recommends that manufacturers • Match the production lifecyles of underly- provide: ing software to the production lifecycles of • A specific list of all cybersecurity risks that the medical device. If a component is known were considered in the design of a device. to have a limited lifetime, then the medical • A specific list and justification for all cyber- device using that component runs the risk of security controls that were established for a inheriting the limited lifetime. device. • A traceability matrix that links actual cyberse- Conclusion curity controls to the cybersecurity risks that Modern healthcare delivery depends on medical were considered. device software to help patients lead more • The systematic plan for providing validated normal and healthy lives. Medical device updates and patches to operating systems or security problems are real, but the focus on medical device software, as needed, to pro- hacking goes only skin deep. Consequences of vide up-to-date protection and to address the diminished integrity and availability caused by product lifecycle. untargeted malware include the inability to • Appropriate documentation to demonstrate deliver timely and effective patient care. By that the device will be provided to purchasers addressing security and privacy risks at the and users free of malware. concept phase, medical devices can remain safe • Device instructions for use and product speci- and effective despite the cybersecurity threats fications related to recommended antivirus endemic to computing. Security of medical software and/or firewall use appropriate for devices is more than just a potential problem the environment of use, even when it is an- on the horizon. n ticipated that users may use their own virus protection software.

Acknowledgments 4. Fu K. Trustworthy Medical Device Software. This work was supported in part by NFS In: Public Health Effectiveness of the FDA CNS-1331652 and HHS 90TR0003/01. Any 510(k) Clearance Process: Measuring Postmarket opinions, findings, and conclusions expressed Performance and Other Select Topics: Workshop in this material are those of the authors and do Report. Washington, DC, National Academies not necessarily reflect the views of NSF or HHS. Press; 2011. 5. Talbot D. Computer Viruses Are ‘Rampant’ References on Medical Devices in Hospitals. Available 1. Alemzadeh h, Iyer RK, Kalbarczyk Z, Raman J. at: www.technologyreview.com/news/429616/ Analysis of Safety-Critical Computer Failures computer-viruses-are-rampant-on-medical- in Medical Devices. IEEE Security and Privacy. devices-in-hospitals. Accessed Aug. 1, 2013. 2013;11(4):14–26. 6. U.S. Food and Drug Administration. Content 2. Weaver C. Patients Put at Risk by Computer of Premarket Submissions for Management Viruses. Available at: http://online.wsj.com/ of Cybersecurity in Medical Devices: Draft article/SB100014241278873241886045785431627449 Guidance for Industry and Food and Drug 43762.html. Accessed Aug. 1, 2013. Administration Staff. Available at: www.fda.gov/ MedicalDevices/DeviceRegulationandGuidance/ 3. Kramer DB, Baker M, Ransford B, et al. GuidanceDocuments/ucm356186.htm. Accessed Security and Privacy Qualities of Medical Devices: Aug. 1, 2013. An Analysis of FDA Postmarket Surveillance. PLoS One. 2012;7(7):e40200.

Horizons Spring 2014 41