You likely read about the recent Wanna.Cry ransomware attack and may know that it also infected a number of hospitals worldwide. Generally, this malware infects a user's systems, encrypts the data and requires a ransom of $300 or more in order to decrypt their data. In the U.S., it not only infected PCs but also certain medical devices; specifically, a Bayer Medrad device, which is used to inject contrast media to aid in MRI scans. The malware infection may have rendered this device useless until the ransom was paid and may have affected certain scheduled procedures and hospital MRI operations.
This attack once again puts the spotlight on cybersecurity issues with medical devices. Medical devices may be more susceptible to such malware due to regulatory and other factors.
As an FDA-regulated device, changes to its software may require undergoing another 510(k) regulatory review. This costs time and money and may have prevented manufacturers from updating their software in the past. However, the FDA is making progress on this front and providing better guidance to manufacturers-at both the premarket and postmarket stages.
• The 2014 Premarket guidance document indicates that manufacturers should incorporate cybersecurity into the design of their product.
• The 2016 Postmarket guidance document calls on manufacturers to closely monitor, identify and respond to cybersecurity vulnerabilities as part of their routine postmarket surveillance efforts. It also suggests that for routine cybersecurity updates and patches, the FDA does not require advance notification or reporting.
• A draft guidance document, released in August 2016 and under final review, provides a flowchart to allow manufacturers to determine if a software patch for cyber defense requires FDA review. It also suggests that if the software updates are made solely to boost a medical device's cyber defense and does not have any other impact on the software or device, then it should be documented, but does NOT require a 510(k) review. The patch should be developed in line with existing QSM with necessary analysis and verification and/or validation. There are exceptions to this and further review of this and the other documents is recommended.
Factors that increase the susceptibility of medical devices to cyberattacks include:
• Security was never part of the device's design, or it was more of an after-thought.
• Devices continuing to use unsupported operating systems such as Windows XP, Server 2003 or others. Many devices do not face technological obsolescence and remain operational in the field for years.
• Devices with embedded systems that can't be readily patched or upgraded. These may require a complete firmware update, which would have to be done manually.
• Devices with insecure access or password control systems; specifically those that have wireless capability.
• Updates are available but not implemented because the hospital does not have adequate resources or time, doesn't think it is important enough, or inability to take device off-line.
We encourage you to share this material with your clients that manufacture, distribute or are otherwise engaged in the medical device industry. For further information, feel free to contact Dan Bauman who oversees OneBeacon Technology's Risk Control services at firstname.lastname@example.org or 262.951.1455.