Regulators and medical-device-makers are bracing for an expected barrage of hacking attacks even as legal and technical uncertainties leave them in uncharted territory.
Tens of millions of electronic health records have been compromised in recent years, a number that is growing and, some say, underreported.
High-profile attacks have hit hospitals and health insurers, and now attention is turning to a new vulnerability: medical devices like pacemakers and insulin pumps.
The Food and Drug Administration (FDA) has become increasingly concerned about the issue and is working to coordinate with other agencies on how to respond if a serious medical device hack were to occur.
"This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion ... and they have to be hardened," said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
There have been rumblings over cybersecurity for years.
More than 113 million personal health records were compromised in 2015, according to provider data reported to the Department of Health and Human Services (DHS), nine times as many as in 2014.
Last fall, Johnson & Johnson had to tell its customers that its insulin pumps had a security vulnerability that hackers could use to access the device and cause a potentially fatal overdose of insulin. The pump, called the Animas OneTouch Ping, had a wireless controller that made it vulnerable. Wireless connection can be an easy access point for hackers.
A similar incident occurred in July 2015, when the FDA told hospitals not to use Hospira's Symbiq infusion pumps because of a vulnerability that could allow the pump to be accessed through a hospital network, potentially allowing a hacker to change the dose.
The pump was no longer being sold by Hospira, but the FDA also discouraged providers from buying it from third parties.
In 2013, hacker Barnaby Jack claimed he had discovered how to take control of a pacemaker from up to 50 feet away and create a lethal shock using the device. He was set to reveal his method at the world's largest hacker conference in Las Vegas but died the night before.
Notably, former Vice President Dick Cheney's doctor had the wireless capability of Cheney's pacemaker as a safety precaution.
So far, though, there have been no known cases of medical-device hacking causing patient harm, according to Zach Rothstein, associate vice president at the Advanced Medical Technology Association.
Healthcare's hacking problem.
Hackers can tap into one weak point at a hospital — like an unsecured wireless printer — and access the entire system. Hackers can take over a hospital's electronic records or lock them out of their website and only return control after a ransom is paid, often in Bitcoin.
Hackers can change medical record information on allergies, diagnoses, or doses of prescribed drugs. Incorrect information on even one medical record could be fatal. Aside from the obvious human cost, an incident like that could have serious financial consequences for a hospital.
"In just the last few years ... we've seen more than a hundred million health records of American citizens breached in a couple of well-publicized incidents," Terry Rice, vice president of IT risk management and chief information security officer at Merck & Company, told the Energy and Commerce Oversight and Investigations Subcommittee last week.
"Vulnerabilities in pacemakers and insulin pumps can be exploited to cause potentially lethal attacks and we have witnessed entire hospitals in the U.S. and U.K. shutting down for multiple days to combat ransomware infections in critical systems," he added.
The Department of Health and Human Services has acted to combat these cybersecurity threats. The Office of the National Coordinator for Health Information Technology, which leads the administration's health technology efforts, awarded $350,000 last October to the National Health Information Sharing and Analysis Center to educate healthcare stakeholders. The funding would also create a system to allow groups to share information about breaches and ransomware attacks.
Rice, who serves on the Healthcare Industry Cybsecurity Task Force, which was created by the Cybersecurity Information Sharing Act of 2015, told the subcommittee that the cybersecurity problem is “significantly underreported.”
He also noted the lack of incentives for companies to report and fears of the harm to their brand or reputation.
“Organizations are unlikely to report security incidents if not required to do so given the potential reputational harm that might occur," he said. "The reports we read about are only a small fraction of the incidents that actually occur."
A 2016 study by the Ponemon Institute found that the majority of breaches reported by the organizations they surveyed contained fewer than 500 records, which aren't counted in the latest HHS data.
Who is liable?
Hacking of a medical device could lead to injury, illness or death, which raises the question: if someone sues, who is liable?
The FDA says in its premarket guidance that: “FDA recognizes that medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices.”
This could be encouraging for device-makers, especially since security flaws unrelated to a device, such as an unsecured wireless printer, could make a device accessible to a hacker.
Since there have been no known cases of patient harm related to medical device hacking, there are few suits. But Melissa Markey, a technology and cybersecurity lawyer at Hall Render, said within the next decade hacking attempts and, as a result, litigation will increase.
Markey points out that FDA guidance on medical devices says manufacturers have an obligation to consider the cybersecurity of their devices during design and throughout the operating life of that device. That could likely provide the basis for someone to allege that manufacturers have a duty to do more to secure devices.
"Even though we would have all intuitively said, well yes medical device-makers obviously should make their devices safe from being hacked, that FDA guidance removes any question, I think, that, yeah, this is an obligation," Markey told The Hill Extra.
Markey said even hospitals could also end up filing suit against device-makers if the device made their system vulnerable.
Vaccine liability could serve as a model, Markey suggested.
The National Vaccine Injury Compensation program was created in the 1980s to protect vaccine companies and healthcare providers from lawsuits from individuals who claimed a vaccine caused them injury.
The fund was a "no-fault" way that served as insurance for the vaccine companies after lawsuits began to give companies second thoughts about getting into the vaccine business. It could prove to be a model for the device industry if fear over lawsuits begins to stymie innovation.
"There are some people who hack because this is a money-making opportunity, and there will be people who figure out how to hack medical devices in order to make money," Markey said. "They will find a way to exploit a vulnerability and use that to get money from the device company or they will use that to get money from another company somehow."
Information sharing is considered a major bulwark to protect against hacking attempts. The healthcare community has an information-sharing group, where providers, manufacturers and others update their defenses against common threats.
Within this community, medical device-makers have their own sub-community. Congress and the industry are both promoting healthcare information sharing, hoping to get it up to par with other industries, such as the financial sector which is known for its cyber readiness.
Rothstein said both the FDA and industry are hiring cybersecurity experts across the board to up their defenses.
"You're starting to see FDA hire software experts so that internally they have more capabilities to evaluate cyber security programs of these companies," he said.
Many companies are adopting "coordinated disclosure" policies where researchers or "white hat" hackers can report vulnerabilities directly to the company instead of making them public.
If a vulnerability is made public before the company is made aware, hackers could compromise devices before the company has time to fix their vulnerabilities.
Hospitals are backing up their files and also increasingly adding cybersecurity protections into their contractual agreements. Rothstein expects this practice to increase.
"The medical device industry, I would say in the last two-and-a-half years or so, has gone from general understanding of the issue, general participation to extreme awareness and participation in cybersecurity efforts," Rothstein said.
See more exclusive content on policy and regulatory news on our subscription-only service here.