FDA Announces Plan to Advance Medical Device Safety and Cybersecurity | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FDA Announces Plan to Advance Medical Device Safety and Cybersecurity

April 18, 2018
by Heather Landi
| Reprints
Click To View Gallery

While medical devices play an increasing role in patient care and provide life-saving benefits to patients, these devices can be vulnerable to security breaches and therefore pose significant risks to healthcare cybersecurity. To address medical device safety, the Food and Drug Administration (FDA) has announced plans to advance new frameworks for identifying risks and protecting consumers, including proposals aimed at advancing medical device cybersecurity.

This week, the FDA released the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health. This new Action Plan outlines the FDA’s vision for how the agency can continue to enhance programs and processes to assure the safety of medical devices. “Our aim is to make sure that the new advances in technology that are enabling better capabilities and benefits are also harnessed to bring added assurances of safety, so that more patients can benefit from new devices and address unmet needs,” FDA Commissioner Scott Gottlieb, M.D., said in a statement.

Specifically, the FDA’s medical device safety action plan focuses on five key areas:

Establish a robust medical device patient safety net in the U.S.;

Explore regulatory options to streamline and modernize timely implementation of post-market mitigations;

Spur innovation towards safer medical devices;

Advance medical device cybersecurity; and

Integrate the FDA’s Center for Devices and Radiological Health (CDRH) premarket and post-market offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety.

According to Gottlieb’s statement, the FDA already has taken several steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices. As part of this new action plan, FDA officials are seeking additional authorities and funding from Congress, which would build on the agency’s work to date and further minimize medical device cybersecurity vulnerabilities and exploits.

The agency is considering placing new responsibilities on manufacturers, both before and after their devices hit the market. Specifically, the FDA is considering potential new premarket authorities to require firms, on the front end, to build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA as part of the device’s premarket submission. The FDA may also require firms to develop a “Software Bill of Materials” that must be provided to the FDA as part of a premarket submission and made available to medical device customers and users.

Additionally, FDA plans to update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack). The agency also is considering new post-market authority to require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.

The FDA is also considering form a public-private partnership, a CyberMed Safety (Expert) Analysis Board, that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and the agency.

The Association of Executives in Healthcare Information Security (AEHIS) issued a statement in support of the FDA’s efforts to improve medical device cybersecurity and called the proposals “promising.”

Erik Decker, AEHIS chair and chief security and privacy officer at University of Chicago Medicine, said in the statement: “The challenges of protecting medical devices from cyberattacks is a hot topic within our association. We believe all parties understand this challenge is a shared responsibility; today’s FDA announcement is an important step toward furthering this goal.”

AEHIS has consistently advocated for policies that bring greater protections to the healthcare sector and transparency for providers who purchase these devices.

 

2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


/news-item/cybersecurity/fda-announces-plan-advance-medical-device-safety-and-cybersecurity
/article/cybersecurity/podcast-ahas-cybersecurity-leader-john-riggi-evolving-cyber-threats-facing

PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery

 

Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.


More From Healthcare Informatics

/whitepaper/who-can-healthcare-trust-when-ransomware-hits

Who Can Healthcare Trust When Ransomware Hits?

Please register to download


WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

Related Insights For: Cybersecurity

/news-item/cybersecurity/report-more-3m-patient-records-breached-second-quarter-2018

Report: More than 3M Patient Records Breached in Second Quarter of 2018

August 8, 2018
by Heather Landi
| Reprints
Click To View Gallery

More than 3.14 million patient records were breached in 142 disclosed health data breach incidents during a three-month span from April to June 2018, according to new data released in the Protenus Breach Barometer.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the latest data showed that in the second quarter of 2018 the number of affected patient records almost tripled from those reported in the first quarter of this year (1.13 million patient records).

Protenus and DataBreaches.net compiled the report using health data breaches reported to the U.S. Department of Health and Human Services (HHS) or to the media. The data found that there were several large data breach incidents during the second quarter, including a theft incident in April involving a Sacramento-based office of the Department of Developmental Services, affecting 582,000 patient records, and a hacking incident at a healthcare provider in May that impacted 566,000 patient records.

For incidents disclosed to the HHS or the media, insiders were responsible for 30.9 percent of the total number of breaches in Q2 2018 (44 incidents). Details were disclosed for 27 of those incidents, affecting 421,180 patient records (13.4 percent of total breached patient records).

The report notes an interesting trend with regard to insider breach incidents. In Q2 2018, 29.7 percent of privacy violations were repeat offenders. “This evidence indicates health systems accumulate risk that compounds over time if proper reporting and education do not occur. On average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report states.

The report authors note, “In other words, even minor privacy violations that are not promptly detected and mitigated, have the potential to compound risk over time.”

The Breach Barometer report data also shows that each hospital investigator is responsible for monitoring the electronic access of an average of 4,000 active EHR users in Q2 2018, underscoring that manual audit processes, like ad-hoc or random audits, are insufficient to monitor such a large population, each of whom accesses multiple medical records per day.

Nine out of 1,000 employees breach patient privacy, and family member snooping is the most common insider-threat violation (71.4 percent of violations), the Protenus data found.

Protenus data estimated that on average, 9.21 healthcare employees breach patient privacy per every 1,000 employees. This increase, from what was reported in Q1 2018, is due to healthcare privacy teams better leveraging advanced analytics, and proactively detecting more incidents, according to the report.

There were 25 publicly disclosed incidents that involved insider-error between April and June 2018. Details were disclosed for 14 of these incidents, affecting 343,036 patient records. In contrast, 18 incidents involved insider-wrongdoing, with data disclosed for 13 of these incidents. There was a substantial increase of breached patient records as a result of insider-wrongdoing.  In Q1 2018, there were only 4,597 affected patient records, while in Q2 2018, there were 70,562 affected patient records.

Looking at external threats, hacking continues to threaten healthcare organizations in 2018, with an increase in incidents in the second quarter. Between January and March, there were 30 hacking incidents, however, between April and June 2018 there have been a total of 52 incidents (36.6 percent of all Q2 2018 publicly disclosed incidents). Details were disclosed for 44 of those incidents, which affected 2 million patient records.

Of the 143 disclosed health data breaches that occurred between April and June 2018, 99 of them (76 percent of total incidents) were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.

Even though most healthcare organizations have already switched over to digitized patient records, 23 breach incidents still involved paper records.

The Protenus data also reported that, of the 142 health data breaches for which data was disclosed, it took an average of 204 days from when the breach occurred to when it was discovered. The median discovery time was 18 days. There was a wide variety in the data, with the shortest discovery time of one day and the longest of 1,587 days (4.35 years).

In conclusion, the Protenus report notes that the average cost per breached record has increased 6.4 percent ($408 per record) over last year. “Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report states.

 

See more on Cybersecurity ...