Medical Device and Healthcare Cybersecurity

Reprinted with permission. The original article appears at

In a now famous 2012 episode of Showtime’s award-winning series, Homeland, the cross-section of medical devices and cybersecurity was presented to viewers in stark relief when terrorists hacked into the vice president’s pacemaker and brought on a fatal heart attack. The possibility (and ramifications) of such an attack may have been new to the viewing public, but to those in the cybersecurity industry it was simply the cinematic realization of a risk that had been known for some time. In the months and years preceding the episode, cybersecurity experts had both raised the issue in papers, and demonstrated how one could use a laptop to wirelessly (1) hack into a pacemaker and deliver a 830-volt shock, and (2) hack into an insulin pump and deliver unregulated does of insulin.

In an increasingly complex healthcare system, security becomes a more challenging objective. And the broader ecosystem of technology that wraps around patients presents great opportunities as well concerns. Consider the pace at which technology is creating healthcare-related applications and devices. For instance, Apple recently released its Health App in its latest iPhone 6, which promised to bring various forms of health monitoring to smartphones. Google has unveiled a contact lens that would let diabetics monitor blood glucose levels through the tears in their eyes, and its X research lab is reportedly working on a pill that could be swallowed to collect evidence of disease in the body. These devices could communicate to a device that would collect and send data to a doctor across the Internet.

Recently the Food and Drug Administration responded to the growing concern regarding cybersecurity risks in medical devices by issuing guidance on the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (the “Guidance”). The recommendations are nonbinding, but the issuance of the Guidance reflects the FDA’s recognition that “The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.”

Although the Guidance is primarily “intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity,” the suggested protocols also protect against data breaches that may result in unauthorized access of a patient’s private medical information. For example, the Guidance notes that “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats.”

To ensure the security of medical devices, the Guidance sets forth a series of recommendations regarding access to data and transmission of data, which have the dual benefit of protecting a patient’s physical wellbeing and privacy. For instance, the Guidance recommends limiting access to trusted users, via numerous security controls such as user authentication, multi-factor authentication schemes, layered authorization models, session timeouts, and potentially physical locks. In addition, the Guidance recommends ensuring the secure receipt and transmission of data, through security functions such as authenticated firmware updates; systematic procedures for version-identifiable, manufacturer-provided updates; and secure data transfer using encryption. However, in a cautionary note that is unique to the medical-device context, the Guidance warns that the security controls actually implemented “should not unreasonably hinder access to a device intended to be used during an emergency situation.”

Given the recognized cybersecurity risks in the healthcare, the “nonbinding” nature of the Guidance should be taken with a grain of salt. If a healthcare app or medical-device manufacturer chooses to forgo the Guidance recommendations, and the device is later the victim of a cyber-attack the recommendations may have prevented, then although the device may not have violated FDA regulations, it may have exposed the manufacturer to substantial civil liability. Such a manufacturer would be hard pressed to explain any decision against implementing cybersecurity safeguards, in the face of known risks and the availability of government-recommended security measures.

There may also be a compelling case to up-front integration of cybersecurity. Time-to-market is a very important business objective for any medical device company. Building in security safeguards on the front-end, during the design and development of devices, may ultimately streamline the device approval process. As such, cybersecurity compliance may also present a compelling business case, in addition to reducing risk.

In the years ahead, the incidence of cyber-attacks and the reliance on medical devices are expected to continue their upward trajectories. And inevitably, someone somewhere will attempt to make the events depicted in Homeland a reality rather than a piece of fiction. Consequently, medical-device manufacturers would be well-advised to consider now the cybersecurity measures that are needed to protect patient-health. In doing so, they will take substantial strides toward also protecting patient privacy. The Guidance recently provided by the FDA is a good (and reasonably safe) place to start.

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.