Product Liability Update
FDA Issues Unprecedented Alert Over Medical Device Cyber Security Risk
In an unprecedented move, on July 31 the U.S. Food & Drug Administration issued an Alert to health care facilities to discontinue using the Hospira Symbiq Infusion System due to “cybersecurity vulnerabilities” The FDA Alert followed an earlier advisory posted by the Department of Homeland Security’s Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT), which reported the discovery of those cybersecurity vulnerabilities in the device, and Hospira’s confirmation of the information.
In its Alert, the FDA described the affected medical device as follows:
- The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. It is primarily used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.
The FDA then described the specific cybersecurity concern:
- Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.
Meanwhile, DHS’ ICS-CERT advised that while “no known public exploits specifically target this vulnerability”, it could be exploited by “an attacker with medium skill”.
Fortunately, the FDA noted that neither it nor Hospira are currently aware of any patient adverse events or unauthorized access of one of these systems in a health care setting. Hospira posted a statement about “Infusion Device Cybersecurity” on its own website, which can be found here, in which it stated that “there are no known instances of cybersecurity breaches of Hospira devices in a clinical setting.” Hospira also remarked that in order to exploit the cybersecurity vulnerabilities, a hacker would also have to penetrate “several layers of network security enforced by the hospital information system, including secure firewalls.” In other words, the hospital also has responsibility for providing cybersecurity.
Both the FDA and ICS-CERT stated that the manufacturer has already retired the product, due to unrelated issues. Nonetheless, the FDA urged hospitals to transition to other infusion systems as soon as possible: “we strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps.” In addition, although the particular product is in limited use in North America, the FDA is wary of the secondary market for pre-owned medical devices. Accordingly, the FDA “strongly discourages the purchase of the Symbiq Infusion System” from resellers.
Takeaways?
- The FDA now views cybersecurity risks just as seriously as defective product risks.
Upon learning of a confirmed cybersecurity weakness that can be remotely exploited (i.e., hacked) to cause patient harm, the FDA response appears to be similar to how it would respond to a confirmed design or manufacturing product defect. In this case, perhaps because the manufacturer had already “retired” the product from distribution, and there were no known injuries due to the device being hacked, the FDA’s response focused on public notification of the risk and on encouraging hospitals to stop using the product at issue as soon as possible, rather than requiring a recall.
It is worth noting that this FDA Alert comes two years after the FDA issued a more general Cybersecurity Safety Communication in which it “recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.” So the FDA already staked out cyberspace as an area of enhanced attention.
- Responsibility for addressing cybersecurity vulnerabilities likely falls on both the device manufacturer and the healthcare facility computer network.
In the past, some health care facilities and device manufacturers have argued over who is responsible for updating malware protection and cybersecurity when it comes to medical devices, as if cybersecurity is a hot potato. In reality, in order to exploit cybersecurity weaknesses in a medical device that is connected to a health care facility’s network, the hackers would likely have to first infiltrate the hospital network. Thus, depending on the circumstances, a successful cyber-attack on a medical device in a health care facility could be attributed to both the facility and the manufacturer for insufficient cybersecurity measures. As the FDA has previously advised, cybersecurity is a mutual concern, and is best addressed proactively.
- Healthcare cybersecurity requirements will vastly expand as more devices are connected to more networks across the internet.
Previously, the focus of healthcare cybersecurity was almost exclusively on data breaches in which patient healthcare records were stolen or illegally accessed. However, this FDA Alert makes it clear that the cyber risk in the healthcare space is not limited to disclosure of medical records.
Moreover, the cyber risk with medical devices likely isn’t limited to their use in healthcare facilities. Just as our population ages and requires more medical monitoring and treatment, medical technology is evolving to allow those functions to occur far away from traditional healthcare facilities. Cardiac devices, insulin pumps, pain medicine pumps, muscle stimulators, neurotransmitters, bionic limb devices and other implanted or wearable devices not yet invented will be connected wirelessly, perhaps to home networks, or networks at the office, or in the car, or wherever there is an internet connection. All of these devices and networks will require vigilant cybersecurity management in order to keep the hackers at bay and to allow the devices to work as intended.
Stay tuned.