An alert by India’s drug regulatory agency about some insulin pumps posing a “cyber security risk” shows the increasing vulnerability of medical instruments to online warfare
By Dr KK Aggarwal
Medical devices are increasingly connected to the internet, hospital networks and other medical instruments, to provide features that improve healthcare and increase the ability of such providers to treat patients.
However, they also increase the risk of cyber security threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting their safety and effectiveness. The need for effective cyber security to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet and network-connected devices, portable media (USB or CD) and frequent electronic exchange of medical device-related health information.
Cyber security threats to the healthcare sector have become more frequent, more severe and more clinically impactful. Cyber security incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across facilities, in the US and globally. Such attacks can delay diagnoses and treatment and harm the patient.
Threats and vulnerabilities cannot be eliminated, therefore, reducing security risks is especially challenging. The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage the security risks.
And this imminent threat has now come to the fore. India’s drug regulatory agency, the Central Drugs Standard Control Organisation (CDSCO), has issued an alert about several models of insulin pumps made by the US company Medtronic, saying they pose a “cyber security risk” because unauthorised persons could wirelessly gain control over them. The July 2 alert has cited an “urgent safety field notification” from Medtronic and a US Food and Drug Administration (FDA) warning on June 27 about the pumps—electronic devices that deliver insulin into the bloodstream.
An unauthorised person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change the settings and control insulin delivery. Unauthorised tampering with the settings could expose patients to the risks of fatal low blood glucose or high sugar levels.
The FDA warned all patients and doctors about Medtronic MiniMed™ insulin pumps and said that patients with diabetes using these models should switch their insulin pump to models that are better-equipped to protect against these potential risks.
Medtronic is recalling these pumps. The following alerts were issued by it: “One should keep insulin pump and the devices that are connected to the pump within your control. Never share your pump serial number. Be attentive to pump notifications, alarms, and alerts. Disconnect the USB device from your computer when you are not using it to download data from your pump.”
It was in March 2019 that the FDA issued a safety communication to alert healthcare providers and patients about cyber security vulnerabilities identified in a wireless telemetry technology used for communication between Medtronic’s implantable cardiac devices, clinic programmers and home monitors. Although the system’s overall design features help safeguard patients, Medtronic is developing updates to further mitigate these cyber security vulnerabilities.
To date, the FDA is not aware of any reports of patient harm related to cyber security lapses. However, it is a fact that a remote control of the device in the hands of unauthorised persons can be used to stop delivering a shock when needed or giving a shock when not needed.
In another case, the FDA, in October 2018, issued a safety alert that Medtronic was issuing a software update to address a safety risk caused by cyber security vulnerabilities associated with the internet connection between Carelink 2090 and Carelink Encore 29901 programmers. These were used to download software from the Medtronic SDN. This update was a voluntary recall by the manufacturer to address the safety risk.
There have been other warnings of software glitches. On April 11, 2018, the FDA approved a firmware update that was intended as a corrective action to reduce the risk of patient harm due to premature battery depletion and potential exploitation of cyber security vulnerabilities for certain Abbott ICDs (implantable cardiac defibrillators) and CRT-Ds (cardiac resynchronisation devices). “Firmware” is a specific type of software embedded in the hardware of a medical device (e.g. a component in the defibrillator).
It was in January 2016 that the FDA issued guidance outlining important steps that medical device manufacturers should take to continually address cyber security risks to keep patients safe and better protect public health. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that they also consider improvements during maintenance of devices. The evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.
All medical devices that use software and are connected to hospital and healthcare organisations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation. The FDA guidance also addresses the importance of information-sharing via participation in an Information Sharing Analysis Organisation (ISAO), a collaborative group in which public and private-sector members share cyber security information.
The draft guidance indicates that in cases where the vulnerability is quickly addressed in a way that sufficiently reduces the risk of harm to patients, the FDA does not intend to enforce urgent reporting of the vulnerability to the agency if certain conditions are met.
These conditions include: there are no serious adverse events or deaths associated with the vulnerability; within 30 days of learning of the vulnerability, the manufacturer notifies users and implements changes that reduce the risk to an acceptable level and the manufacturer is a participating member of an ISAO and reports the vulnerability, its assessment and remediation to it.
Medical device manufacturers (MDMs) and healthcare delivery organisations (HDOs) should take steps to ensure that appropriate safeguards are in place. While MDMs should remain vigilant about identifying the risks and hazards associated with their medical devices, HDOs should evaluate their network security and protect their hospital systems.
Chapter XI, Section 66 of the Information Technology (IT) Act, 2000, particularly deals with the act of hacking. Section 66 (1) defines a “hack” as any person who dishonestly or fraudulently does any act referred to in Section 43, which deals with hacking. Section 66 (2) prescribes the punishment for it. Under the Act, hacking is a punishable offence in India with imprisonment up to three years, or with a fine up to Rs 2 lakh, or with both.
Though concerns have been raised in India regarding the potential for cyber interference with medical devices, generally, this has not been shown to be a clinical concern. But it is better to be safe than sorry.