Reproduced from India Legal, http://www.indialegallive.com/health/cyber-attacks-lives-at-risk-68579,
published July 14, 2019
An
alert by India’s drug regulatory agency about some insulin pumps posing a
“cyber security risk” shows the increasing vulnerability of medical instruments
to online warfare
By
Dr KK Aggarwal
Medical devices are increasingly connected to
the internet, hospital networks and other medical instruments, to provide
features that improve healthcare and increase the ability of such providers to
treat patients.
However, they also increase the risk of cyber
security threats. Medical devices, like other computer systems, can be
vulnerable to security breaches, potentially impacting their safety and
effectiveness. The need for effective cyber security to ensure medical device
functionality and safety has become more important with the increasing use of
wireless, internet and network-connected devices, portable media (USB or CD)
and frequent electronic exchange of medical device-related health information.
Cyber security threats to the healthcare
sector have become more frequent, more severe and more clinically impactful.
Cyber security incidents have rendered medical devices and hospital networks
inoperable, disrupting the delivery of patient care across facilities, in the
US and globally. Such attacks can delay diagnoses and treatment and harm the
patient.
Threats and vulnerabilities cannot be
eliminated, therefore, reducing security risks is especially challenging. The
healthcare environment is complex, and manufacturers, hospitals, and facilities
must work together to manage the security risks.
And this imminent threat has now come to the
fore. India’s drug regulatory agency, the Central Drugs Standard Control
Organisation (CDSCO), has issued an alert about several models of insulin pumps
made by the US company Medtronic, saying they pose a “cyber security risk”
because unauthorised persons could wirelessly gain control over them. The July
2 alert has cited an “urgent safety field notification” from Medtronic and a US
Food and Drug Administration (FDA) warning on June 27 about the
pumps—electronic devices that deliver insulin into the bloodstream.
An unauthorised person with special technical
skills and equipment could potentially connect wirelessly to a nearby insulin
pump to change the settings and control insulin delivery. Unauthorised
tampering with the settings could expose patients to the risks of fatal low
blood glucose or high sugar levels.
The FDA warned all patients and doctors about
Medtronic MiniMed™ insulin pumps and said that patients with diabetes using
these models should switch their insulin pump to models that are
better-equipped to protect against these potential risks.
Medtronic is recalling these pumps. The
following alerts were issued by it: “One should keep insulin pump and the
devices that are connected to the pump within your control. Never share your
pump serial number. Be attentive to pump notifications, alarms, and alerts.
Disconnect the USB device from your computer when you are not using it to
download data from your pump.”
It was in March 2019 that the FDA issued a
safety communication to alert healthcare providers and patients about cyber
security vulnerabilities identified in a wireless telemetry technology used for
communication between Medtronic’s implantable cardiac devices, clinic
programmers and home monitors. Although the system’s overall design features
help safeguard patients, Medtronic is developing updates to further mitigate
these cyber security vulnerabilities.
To date, the FDA is not aware of any reports
of patient harm related to cyber security lapses. However, it is a fact that a
remote control of the device in the hands of unauthorised persons can be used
to stop delivering a shock when needed or giving a shock when not needed.
In another case, the FDA, in October 2018,
issued a safety alert that Medtronic was issuing a software update to address a
safety risk caused by cyber security vulnerabilities associated with the
internet connection between Carelink 2090 and Carelink Encore 29901
programmers. These were used to download software from the Medtronic SDN. This
update was a voluntary recall by the manufacturer to address the safety risk.
There have been other warnings of software
glitches. On April 11, 2018, the FDA approved a firmware update that was
intended as a corrective action to reduce the risk of patient harm due to
premature battery depletion and potential exploitation of cyber security
vulnerabilities for certain Abbott ICDs (implantable cardiac defibrillators)
and CRT-Ds (cardiac resynchronisation devices). “Firmware” is a specific type
of software embedded in the hardware of a medical device (e.g. a component in
the defibrillator).
It was in January 2016 that the FDA issued
guidance outlining important steps that medical device manufacturers should
take to continually address cyber security risks to keep patients safe and
better protect public health. While manufacturers can incorporate controls in
the design of a product to help prevent these risks, it is essential that they
also consider improvements during maintenance of devices. The evolving nature
of cyber threats means risks may arise throughout a device’s entire lifecycle.
All medical devices that use software and are
connected to hospital and healthcare organisations’ networks have
vulnerabilities—some we can proactively protect against, while others require
vigilant monitoring and timely remediation. The FDA guidance also addresses the
importance of information-sharing via participation in an Information Sharing
Analysis Organisation (ISAO), a collaborative group in which public and
private-sector members share cyber security information.
The draft guidance indicates that in cases
where the vulnerability is quickly addressed in a way that sufficiently reduces
the risk of harm to patients, the FDA does not intend to enforce urgent
reporting of the vulnerability to the agency if certain conditions are met.
These conditions include: there are no serious
adverse events or deaths associated with the vulnerability; within 30 days of
learning of the vulnerability, the manufacturer notifies users and implements
changes that reduce the risk to an acceptable level and the manufacturer is a
participating member of an ISAO and reports the vulnerability, its assessment
and remediation to it.
Medical device manufacturers (MDMs) and
healthcare delivery organisations (HDOs) should take steps to ensure that
appropriate safeguards are in place. While MDMs should remain vigilant about
identifying the risks and hazards associated with their medical devices, HDOs
should evaluate their network security and protect their hospital systems.
Chapter XI, Section 66 of the Information
Technology (IT) Act, 2000, particularly deals with the act of hacking. Section
66 (1) defines a “hack” as any person who dishonestly or fraudulently does any
act referred to in Section 43, which deals with hacking. Section 66 (2)
prescribes the punishment for it. Under the Act, hacking is a punishable
offence in India with imprisonment up to three years, or with a fine up to Rs 2
lakh, or with both.
Though concerns have been raised in India
regarding the potential for cyber interference with medical devices, generally,
this has not been shown to be a clinical concern. But it is better to be safe
than sorry.
Dr KK Aggarwal
Padma Shri
Awardee
President Elect Confederation of
Medical Associations in Asia and Oceania
(CMAAO)
Group
Editor-in-Chief IJCP Publications
President Heart
Care Foundation of India
Past National President
IMA
No comments:
Post a Comment