- Ransomware attacks on healthcare facility networks are causing medical device “outages” that put patient lives at risk, according to Kevin Fu, acting director of cybersecurity at the FDA’s Center for Devices and Radiological Health.
- “You can’t have a safe and effective medical device if it’s unavailable” due to ransomware, Fu told AdvaMed’s annual conference this week, noting a big change in the medtech industry over the past decade in terms of acknowledging growing cyber threats to devices. “Nation states and organized crime — real threat actors — are causing harm, damaging the safety and effectiveness of medical devices,” Fu warned.
- Fu’s dire assessment comes as The Wall Street Journal reported the first alleged death in a hospital attributed to ransomware. A 2019 cyberattack on an Alabama medical center allegedly impacted the normal operation of a fetal heartbeat monitor and a nurses’ station. The parents of a baby born with the umbilical cord wrapped around their neck who died nine months later following severe brain damage, are suing the hospital, which denies the allegations.
The HHS Office of Inspector General in a June report noted the first known ransomware attack to affect networked medical devices occurred in May 2017 when the global ransomware attack WannaCry impacted radiological devices in some hospitals. OIG pegged the first death resulting from a ransomware attack as occurring in September 2020 when a German hospital was forced to turn away a patient in need of critical care.
More recently, a quarter of healthcare delivery organizations in a Ponemon Institute survey said they saw an increase in mortality rates following a ransomware attack.
With widespread use of connected medical devices, health systems are at heightened risk of an adverse impact on patient care, according to Fu.
“The degree of connectedness of medical devices has really changed,” Fu told this week’s AdvaMed conference. “The consequences are changing just because of how much we depend on them.”
Fu pointed to a ransomware attack earlier this year in which cancer patients undergoing radiation treatment at four healthcare facilities had to reschedule appointments after a software outage caused by a cyberattack on an outside vendor’s oncology cloud service.
The FDA cyber chief called this early 2021 incident a “watershed moment” for medical device security.
“Instead of ransomware simply disabling access to say electronic health records, which is still quite inconvenient, in this case the remediation process to the ransomware caused an outage such that patients could not receive that particular therapy from the medical device,” Fu said. “That was something we haven’t seen before.”
The new challenge for healthcare organizations and the medtech industry is to ensure the availability of medical devices amid growing cyber threats that are putting patient safety at risk, according to Fu.
“You can’t have a safe and effective medical device if it’s unavailable,” Fu argued. “Similarly, you can’t have a safe and effective medical device if you don’t have appropriate cybersecurity controls for problems of clinical relevance.”
Ransomware has put a spotlight on activities already underway at FDA, according to Fu. “What is changing is the understanding now that this is actually more important than we anticipated. Look what happens when the ransomware is disabling a hospital or a medical device from the ability to deliver patient care.”
FDA is seeking more legislative authorities to bolster medical device cybersecurity amid growing ransomware and other cyberattacks on healthcare organizations. FDA’s 2018 Medical Device Safety Action Plan laid out the agency’s cyber roadmap to boost oversight to apply throughout the product lifecycle of devices, according to Suzanne Schwartz, director of CDRH’s Office of Strategic Partnerships and Technology Innovation.
Schwartz told MedTech Dive in August the agency wants to require medtechs upfront, as part of a premarket submission, to have a Software Bill of Materials (SBOM) — an electronically readable format designed to provide an inventory of third-party components in devices — as well as the capability to update and patch device security into a product’s design.
Speaking at the AdvaMed conference, CDRH Director Jeff Shuren said the agency plans to release in the coming months updated guidance on its “premarket expectations for design and review of devices to assure cybersecurity.”
Fu contends that medical devices “need to be designed with security in mind in order to resist even everyday, run-of-the-mill threats like ransomware.” However, currently there is no statutory requirement, premarket or postmarket, that expressly compels device manufacturers to address cybersecurity.
“I wish we could spend more attention on premarket so that five years from now we don’t have to spend as much on postmarket,” Fu said. “By building security in, we are going to have much safer and effective medical devices despite the increasing and sophisticated cyber threats.”