Cybersecurity of Medical Devices and the Impact on … · Cybersecurity of Medical Devices and the...
Transcript of Cybersecurity of Medical Devices and the Impact on … · Cybersecurity of Medical Devices and the...
HCCA Research Compliance Conference May 31-June 3, 2015
1
Polsinelli PC. In California, Polsinelli LLP
Cybersecurity of Medical
Devices and the Impact on
Research
June 2015 Ken Briggs, Esq. Polsinelli PC, Phoenix [email protected]
602.650.2042
One East Washington St., Suite 1200
Phoenix, AZ 85004-2568
real challenges. real answers. sm
Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.
Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.
© 2015 Polsinelli PC. In California, Polsinelli LLP.
Polsinelli is a registered mark of Polsinelli PC
2
HCCA Research Compliance Conference May 31-June 3, 2015
2
real challenges. real answers. sm
Concepts to Cover
Orientation
What is cybersecurity?
– What are the threats?
Key Players
Regulations
– Medical Devices
– Cybersecurity
Research Considerations
3
real challenges. real answers. sm
4
Orientation
HCCA Research Compliance Conference May 31-June 3, 2015
3
real challenges. real answers. sm
Impact on Research
Bringing medical devices to market
Allocating liability among the
manufacturer, physician/PI, hospital, and
patient
Regulatory Response
5
real challenges. real answers. sm
What is a Medical Device?
The FDA defines a medical device as: – an instrument, apparatus, implement, machine, contrivance,
implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:
recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them,
intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or
intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.
6
HCCA Research Compliance Conference May 31-June 3, 2015
4
real challenges. real answers. sm
Medical Devices
Can be big/small and (relatively) simple
7
real challenges. real answers. sm
Medical Devices
Can be big/small and complex
8
HCCA Research Compliance Conference May 31-June 3, 2015
5
real challenges. real answers. sm
Medical Devices
What about these?
9
real challenges. real answers. sm
Medical devices become far more complex
when they:
– Connect with other devices
– Can be modified/personalized
– Depend on user/third-party inputs
– Need advanced power sources
10
HCCA Research Compliance Conference May 31-June 3, 2015
6
real challenges. real answers. sm
Medical Device Connectivity
So this…
Quickly becomes this…
11
real challenges. real answers. sm
Medical Device Connectivity
12
Device
Hospital
Patient
Manufacturer Physician
Others?
Home
Internet
Physicians with
other devices
Other patients
Other devices
HCCA Research Compliance Conference May 31-June 3, 2015
7
real challenges. real answers. sm
Medical Device Connectivity
13
Device
Hospital
Patient
Manufacturer Physician
Others?
real challenges. real answers. sm
14
Cybersecurity
HCCA Research Compliance Conference May 31-June 3, 2015
8
real challenges. real answers. sm
What is Cybersecurity?
No fixed definition of cybersecurity
– The process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.
FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2, 2014)
– The ability to protect or defend the use of cyberspace from [An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information].
CNSSI-4009, CNSSI-4009
15
real challenges. real answers. sm
Threat Overview
Malware, denial-of-service, unauthorized access, theft/loss, others
Consequences of incident – Complete or partial malfunction
Does not work at all
Does not work in the intended way
– Compromise
Pivot device
Patient/financial information
Intentional vs. Unintentional – What does it matter?
16
HCCA Research Compliance Conference May 31-June 3, 2015
9
real challenges. real answers. sm
Threat Overview
Malware/Virus – A computer program that can replicate itself, infect a computer
without permission or knowledge of the user, and then spread or propagate to another computer.
– Software that compromises the operation of a system by performing an unauthorized function or process.
DDOS – A denial-of-service (DoS) or distributed denial-of-service (DDoS)
attack is an attempt to make a machine or network resource unavailable to its intended users.
– Commonly used to shut down or interrupt a network
Unauthorized access – Any access that violates the stated security policy.
Others? Theft? Loss?
17
real challenges. real answers. sm
Source of Threats
Threat actors – National Governments
– Terrorists
– Industrial Spies and Organized Crime Groups
– Hacktivists
– Hackers
– GAO Threat Table
Users/Patients
Manufacturer/Developer
Multi-Party Failures
What everyone talks about
Where most of the issues
do/will originate
18
HCCA Research Compliance Conference May 31-June 3, 2015
10
real challenges. real answers. sm
Malicious Threat Lifecycle
Phase 1—Reconnaissance – Adversary identifies and selects a target(s).
Phase 2—Weaponize – Adversary packages an exploit into a payload designed to execute on the targeted
computer/network.
Phase 3—Deliver – Adversary delivers the payload to the target system(s).
Phase 4—Exploit – Adversary code is executed on the target system(s).
Phase 5—Install – Adversary installs remote access software that provides a persistent presence within
the targeted environment or system.
Phase 6—Command and Control – Adversary employs remote access mechanisms to establish a command and control
channel with the compromised device.
Phase 7—Act on Objectives – Adversary pursues intended objectives (e.g., data exfiltration, lateral movement to
other targets).
Source: NIST Special Publication 800-150 (Draft), Oct. 2014
19
real challenges. real answers. sm
Malicious Threat Lifecycle
20
Phase 1 Device weaknesses are observed and researched
Phase 2 Malicious code/software/virus developed
Phase 3 Package is delivered to the target through one or
more devices
Phase 4 Software on device is executed or manipulated
Phase 5 Device or software on device is told what to do
Phase 6 Information is collected; device is compromised, shut down/broken
Intentional vs. Unintentional?
HCCA Research Compliance Conference May 31-June 3, 2015
11
real challenges. real answers. sm
Unintentional Threat
Malfunction or unintentional consequence
of design/code/software
– Code is not properly written or conflicts with
new code
Device or information on device is
compromised
– Code does not save all the information
– Misprints output directions
– Instructs devices to perform unintended
function 21
real challenges. real answers. sm
Threat Environment
“There is no such thing as a threat-proof medical device.” – Suzanne Schwartz, M.D., MBA, FDA’s Center for Devices and Radiological Health.
“Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.” – Dr. Kevin Fu, member, NIST Information Security & Privacy Advisory Board
22
HCCA Research Compliance Conference May 31-June 3, 2015
12
real challenges. real answers. sm
Examples of Threats
The U.S. Department of Homeland Security is investigating nearly two dozen cases of suspected cybersecurity flaws in medical devices.
Beth Israel Deaconess Medical Center in Boston reported 664 pieces of medical equipment running on outdated operating systems.
Boston Children’s was the subject of a DDOS hacktivist attack where it experienced nearly 40 times what its usual inbound traffic would have been.
– There were also direct attacks on internet-facing ports.
Researchers (Billy Rios and Terry McCorkle) discovered a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.
Software failures were behind 24 percent of all the medical device recalls in 2011.
There were 429 device recalls for “Software Design” during FY 2010 and 2012.
At the DEFCON hacking conference Jerome Radcliffe remotely manipulated the dosage levels delivered by an insulin pump from up to 300 feet away.
23
real challenges. real answers. sm
24
KEY PLAYERS
HCCA Research Compliance Conference May 31-June 3, 2015
13
real challenges. real answers. sm
Key Players
• Prescribe, purchase, research
• Recipients and users
• Not merely “bystanders”
• Purchase, develop, research
• Develop devices
• Financial interest in success=sales
Manufacturers Hospitals
Physicians Patients
25
real challenges. real answers. sm
26
KEY REGULATIONS
HCCA Research Compliance Conference May 31-June 3, 2015
14
real challenges. real answers. sm
Key Regulations
Health Insurance Portability and Accountability Act of 1996
FDA – medical device manufacturing requirements
– FDA research regulations
Common Rule – Protection of human subjects
Consumer protection – FTC and state attorneys general
– “stops unfair, deceptive and fraudulent business practices”
…civil lawsuits
27
real challenges. real answers. sm
Current Regulatory Process
Step One: Device Classification – Class I, II, III
Step Two: Identify Appropriate Path – 510(k) (Premarket Notification)
– PMA (Premarket Approval)
– De Novo (Evaluation of Automatic Class III Designation)
– HDE (Humanitarian Device Exemption)
Step Three: Prepare Information for Submission – Design Controls, Nonclinical Testing, Clinical
Evidence, Labeling
Step Four: Send Information to FDA
Step Five: Complete Registration and Device Listing
28
HCCA Research Compliance Conference May 31-June 3, 2015
15
real challenges. real answers. sm
Development of Medical Devices
FDA classification – Class I, Class II, Class III
– Investigational Device Exemption (IDE)
Regulatory review – Premarket Approval (PMA)
High risk devices that pose a significant risk of illness or injury, or devices found not substantially equivalent to Class I and II predicate through the 510(k) process.
More involved and includes the submission of clinical data to support claims made for the device.
– Premarket notification (510k)
Demonstrate that the device is substantially equivalent to one approved … : (1) before May 28, 1976; or (2) to a device that has been determined by FDA to be substantially equivalent.
– Quality Control
Post-approval studies or reports
Adverse events, MAUDE
Mobile devices – to be used as an accessory to a regulated medical device; or
– to transform a mobile platform into a regulated medical device.
29
real challenges. real answers. sm
Device Classes
Class I
Most (74%) are exempt from
510(k)
Low risk
47% of devices
Class II
Most require 510(k)
Higher risk
43% of devices
Class III
Most require PMA
Generally highest risk
Subject to the highest level of
regulatory control.
30
HCCA Research Compliance Conference May 31-June 3, 2015
16
real challenges. real answers. sm
Medical Devices
Premarket Notification (510(k)) – Made to FDA to demonstrate that the device to be
marketed is at least as safe and effective, that is, substantially equivalent, to a legally marketed device (21 CFR 807.92(a)(3)) that is not subject to PMA.
– Requires demonstration of substantial equivalence to another legally U.S. marketed device.
Substantial equivalence is established with respect to intended use, design, energy used or delivered, materials, chemical composition, manufacturing process, performance, safety, effectiveness, labeling, biocompatibility, standards, and other characteristics, as applicable.
31
real challenges. real answers. sm
Medical Devices
Premarket Approval (PMA) – PMA is the FDA process of scientific and regulatory review to evaluate
the safety and effectiveness of Class III medical devices.
– Four-Step Process at FDA
administrative and limited scientific review for completeness;
in-depth scientific, regulatory, and Quality System;
review and recommendation by the appropriate advisory committee; and
final deliberations/decision.
– Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.
– Requires documentation to demonstrate the safety and effectiveness of the device.
– If the device contains software or is controlled by a computer, the submission should contain documentation of software development and validation appropriate to the level of risk of the software.
32
HCCA Research Compliance Conference May 31-June 3, 2015
17
real challenges. real answers. sm
Investigational Device Exemption (IDE)
An investigational device exemption (IDE)
allows the investigational device to be
used in a clinical study in order to collect
safety and effectiveness data.
Clinical studies are most often conducted
to support a PMA.
– Only a small percentage of 510(k)s require
clinical data to support the application.
33
real challenges. real answers. sm
Investigational Device Exemption (IDE)
Clinical evaluation of devices that have not been cleared for marketing requires:
– an investigational plan approved by an IRB; approval by FDA if study involves a significant risk device;
– informed consent from all patients;
– labeling stating that the device is for investigational use only;
– monitoring of the study and;
– required records and reports.
Good Clinical Practices (GCP) must be complied with while conducting a clinical study.
34
HCCA Research Compliance Conference May 31-June 3, 2015
18
real challenges. real answers. sm
Current Regulatory Process
Step One: Device Classification – Class I, II, III
Step Two: Identify Appropriate Path – 510(k), PMA, De Novo, HDE
Step Three: Prepare Information for Submission – Design Controls, Nonclinical Testing, Clinical
Evidence, Labeling
Step Four: Send Information to FDA
Step Five: Complete Registration and Device Listing
35
real challenges. real answers. sm
Preparing Information for FDA
Step Three: Prepare Information for Submission
– Design Controls.
Design validation
Includes software validation and risk analysis, where appropriate.
– Nonclinical Testing
– Clinical Evidence
– Labeling
36
HCCA Research Compliance Conference May 31-June 3, 2015
19
real challenges. real answers. sm
Design Controls
Scope – All manufacturers (including specification developers) of Class II
and III devices and select Class I devices are required to follow design controls [§ 820.30] during the development of their device.
The design control requirements are basic controls needed to ensure that the device being designed will perform as intended when produced for commercial distribution.
21 C.F.R. § 820.30(g) – Design validation shall include software validation and risk
analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the [design history file].
37
real challenges. real answers. sm
Recent FDA Guidance
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2014). – This guidance provides recommendations to consider and information to
include in FDA medical device premarket submissions for effective cybersecurity management.
– Applicable devices that contain software as well as software that is a medical device
– Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.
– Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30(g).
– The Agency recommends that medical device manufacturers consider the following cybersecurity framework core functions to guide their cybersecurity activities: Identify, Protect, Detect, Respond, and Recover.
38
HCCA Research Compliance Conference May 31-June 3, 2015
20
real challenges. real answers. sm
Recent FDA Guidance
Design validation shall include software validation and risk analysis, where appropriate.
The approach should appropriately address the following elements: – Identification of assets, threats, and vulnerabilities;
– Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
– Assessment of the likelihood of a threat and of a vulnerability being exploited;
– Determination of risk levels and suitable mitigation strategies;
– Assessment of residual risk and risk acceptance criteria.
39
real challenges. real answers. sm
Recent FDA Guidance
Identify and Protect – The extent to which security controls are needed will depend on the
device’s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach.
Detect, Respond, and Recover – Implement features that allow for security compromises to be detected,
recognized, logged, timed, and acted upon during normal use;
– Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event;
– Implement device features that protect critical functionality, even when the device’s cybersecurity has been compromised;
– Provide methods for retention and recovery of device configuration by an authenticated privileged user.
40
HCCA Research Compliance Conference May 31-June 3, 2015
21
real challenges. real answers. sm
Recent FDA Guidance
In the premarket submission [not just PMA], manufacturers should provide the following information related to the cybersecurity of their medical device:
– 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including:
A specific list of all cybersecurity risks that were considered in the design of your device;
A specific list and justification for all cybersecurity controls that were established for your device.
– 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered;
– 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity.
– 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and
– 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall).
41
real challenges. real answers. sm
Impact of FDA Guidance
Application to Research
– Manufacturers may also consider applying the
cybersecurity principles described in this
guidance as appropriate to Investigational
Device Exemption submissions and to
devices exempt from premarket review.
Documentation
Cost
42
HCCA Research Compliance Conference May 31-June 3, 2015
22
real challenges. real answers. sm
Weaknesses in Current Process
Guidance is weak and the potential
consequences are very high
Ad hoc reviews of cybersecurity are
insufficient
Transfer of responsibilities when the
product goes to market is unclear
Significant, overlapping liability
Gaps in the regulation
43
real challenges. real answers. sm
Regulations – Gaps?
HIPAA—patient information
– What if a device is accessed but patient
information is not accessed or breached?
FDA—safety efficacy of medical devices
Common Rule—protection of human
subjects in research
FTC—consumer protection
44
HCCA Research Compliance Conference May 31-June 3, 2015
23
real challenges. real answers. sm
Natural Path of Regulation
Current regulation
Industry modification
Technology & industry
Improvement
Regulatory ambiguity
Soft guidance
Hard guidance
Revised regulation
You are here
45
real challenges. real answers. sm
Other Regulations: HIPAA
Application
– Does not typically apply to manufacturers
– Applies to covered entities: hospitals,
physicians
Remember FDA definition of cybersecurity
HIPAA obligations must be observed even
during research
46
HCCA Research Compliance Conference May 31-June 3, 2015
24
real challenges. real answers. sm
Other Regulations: HIPAA
HIPAA Risk Analysis – Conduct an accurate and thorough assessment of the potential risks
and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308.
Required Considerations [OCR Security Rule Guidance 2010] – An organization must identify where the e-PHI is stored, received,
maintained or transmitted.
– Organizations must identify and document reasonably anticipated threats to e-PHI.
– Organizations should assess and document the security measures an entity uses to safeguard e-PHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.
A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation.
47
real challenges. real answers. sm
Other Regulations: HIPAA
Research authorization requirements – When a covered entity obtains or receives a valid
authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. 45 C.F.R. § 164.508.
Breach of Unsecured PHI – “[T]he acquisition, access, use, or disclosure of
protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information.”
– A covered entity must notify the individual(s), the OCR, and possibly the media.
48
HCCA Research Compliance Conference May 31-June 3, 2015
25
real challenges. real answers. sm
Allocation of liability in research
Regulatory, Civil, Contract, Costs
(development/research)
How is liability identified and allocated?
– Contracts, clearer regulation, transparent
guidance, case law
– Unified industry
49
real challenges. real answers. sm
Research Considerations
Hospitals and Manufacturers
Informal FDA guidance to hospitals and manufacturers: – Recently, the FDA has become aware of cybersecurity vulnerabilities
and incidents that could directly impact medical devices or hospital network operations, including:
Network-connected/configured medical devices infected or disabled by malware;
The presence of malware on hospital computers;
Uncontrolled distribution of passwords;
Failure to provide timely security software updates and patches to medical devices;
Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access.
“The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.”
50
HCCA Research Compliance Conference May 31-June 3, 2015
26
real challenges. real answers. sm
Research Considerations
Hospitals and Manufacturers
FDA recommendations to device manufacturers: – Take steps to limit unauthorized device access to trusted users
only[sic].
– Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
– Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
– Provide methods for retention and recovery after an incident where security has been compromised.
Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.
51
real challenges. real answers. sm
Research Considerations
Hospitals and Manufacturers
FDA recommendations to health care facilities: – Evaluate your network security and protect your hospital system.
– Restrict unauthorized access to the network and medical devices connected to the network.
– Make certain appropriate antivirus software and firewalls are up-to-date.
– Monitor network activity for unauthorized use.
– Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
– Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device.
– Develop and evaluate strategies to maintain critical functionality during adverse conditions.
52
HCCA Research Compliance Conference May 31-June 3, 2015
27
real challenges. real answers. sm
Research Considerations
Understanding Liability
Will the Manufacturer notify the hospital of cybersecurity issues?
What if the device is breached or used to breach the hospital’s network?
What if the hospital was notified of an update and does not perform it (or doesn’t perform it accurately)?
What if a device stops functioning and a patient is physically injured?
What if patient information is taken directly from the device?
53
real challenges. real answers. sm
Incident Response
Source: Recommended Practice: Developing
an Industrial Control Systems Cybersecurity
Incident Response Capability (Oct. 2009), ICS-
CERT
Activities of hospital, PI, and
Manufacturer overlap
54
HCCA Research Compliance Conference May 31-June 3, 2015
28
real challenges. real answers. sm
Research Considerations
Key Contract Terms
Duties and Responsibilities
Confidential or Proprietary Information
Indemnification – Scope of indemnification
– Extend of control (Investigations, lawsuits)
Compensation for Subject Injury
Insurance – Does it cover breach issues?
Reporting obligations – From hospital/PI to Manufacturer
Adverse event; device deficiency
– From Manufacturer to hospital/PI (e.g., security discoveries)
55
real challenges. real answers. sm
Indemnification
What costs, claims, damages, etc. of the
hospital and/or PHI will be paid for by the
manufacturer?
HIPAA, injury, privacy…
56
HCCA Research Compliance Conference May 31-June 3, 2015
29
real challenges. real answers. sm
Research Considerations
Due Diligence
Information requested from the manufacturer
Communication to patients
Training provided by manufacturer
Updated security risk analysis
Certificates of insurance
IT contacts
Other
57
real challenges. real answers. sm
Research Considerations
Dedicated Personnel
Understand the devices
Understand the liability and incentives
through the research process
Has knowledge of the transfer and use
issues from the manufacturer to the
patient
58