HCCA Research Compliance Conference May 31-June 3, 2015

Transcription

1 Cybersecurity of Medical Devices and the Impact on Research Ken Briggs, Esq. Polsinelli PC, Phoenix One East Washington St., Suite 1200 Phoenix, AZ June 2015 Polsinelli PC. In California, Polsinelli LLP Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC 2 Concepts to Cover Orientation What is cybersecurity? What are the threats? Key Players Regulations Medical Devices Cybersecurity Research Considerations 3 1

2 Orientation 4 Impact on Research Bringing medical devices to market Allocating liability among the manufacturer, physician/pi, hospital, and patient Regulatory Response 5 What is a Medical Device? The FDA defines a medical device as: an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes. 6 2

3 Medical Devices Can be big/small and (relatively) simple 7 Medical Devices Can be big/small and complex 8 What about these? Medical Devices 9 3

4 Medical devices become far more complex when they: Connect with other devices Can be modified/personalized Depend on user/third-party inputs Need advanced power sources 10 So this Medical Device Connectivity Quickly becomes this 11 Medical Device Connectivity Physicians with other devices Hospital Home Others? Patient Internet Device Other patients Physician Manufacturer Other devices 12 4

5 Manufacturer Medical Device Connectivity Hospital Others? Device Patient Physician 13 Cybersecurity 14 What is Cybersecurity? No fixed definition of cybersecurity The process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2, 2014) The ability to protect or defend the use of cyberspace from [An attack, via cyberspace, targeting an enterprise s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information]. CNSSI-4009, CNSSI

6 Threat Overview Malware, denial-of-service, unauthorized access, theft/loss, others Consequences of incident Complete or partial malfunction Does not work at all Does not work in the intended way Compromise Pivot device Patient/financial information Intentional vs. Unintentional What does it matter? 16 Threat Overview Malware/Virus A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer. Software that compromises the operation of a system by performing an unauthorized function or process. DDOS A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Commonly used to shut down or interrupt a network Unauthorized access Any access that violates the stated security policy. Others? Theft? Loss? 17 Source of Threats Threat actors What everyone talks about National Governments Terrorists Industrial Spies and Organized Crime Groups Hacktivists Hackers GAO Threat Table Users/Patients Manufacturer/Developer Multi-Party Failures Where most of the issues do/will originate 18 6

7 Malicious Threat Lifecycle Phase 1 Reconnaissance Adversary identifies and selects a target(s). Phase 2 Weaponize Adversary packages an exploit into a payload designed to execute on the targeted computer/network. Phase 3 Deliver Adversary delivers the payload to the target system(s). Phase 4 Exploit Adversary code is executed on the target system(s). Phase 5 Install Adversary installs remote access software that provides a persistent presence within the targeted environment or system. Phase 6 Command and Control Adversary employs remote access mechanisms to establish a command and control channel with the compromised device. Phase 7 Act on Objectives Adversary pursues intended objectives (e.g., data exfiltration, lateral movement to other targets). Source: NIST Special Publication (Draft), Oct Malicious Threat Lifecycle Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Device weaknesses are observed and researched Malicious code/software/virus developed Package is delivered to the target through one or more devices Software on device is executed or manipulated Device or software on device is told what to do Information is collected; device is compromised, shut down/broken Intentional vs. Unintentional? 20 Unintentional Threat Malfunction or unintentional consequence of design/code/software Code is not properly written or conflicts with new code Device or information on device is compromised Code does not save all the information Misprints output directions Instructs devices to perform unintended function 21 7

8 Threat Environment There is no such thing as a threat-proof medical device. Suzanne Schwartz, M.D., MBA, FDA s Center for Devices and Radiological Health. Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches. Dr. Kevin Fu, member, NIST Information Security & Privacy Advisory Board 22 Examples of Threats The U.S. Department of Homeland Security is investigating nearly two dozen cases of suspected cybersecurity flaws in medical devices. Beth Israel Deaconess Medical Center in Boston reported 664 pieces of medical equipment running on outdated operating systems. Boston Children s was the subject of a DDOS hacktivist attack where it experienced nearly 40 times what its usual inbound traffic would have been. There were also direct attacks on internet-facing ports. Researchers (Billy Rios and Terry McCorkle) discovered a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. Software failures were behind 24 percent of all the medical device recalls in There were 429 device recalls for Software Design during FY 2010 and At the DEFCON hacking conference Jerome Radcliffe remotely manipulated the dosage levels delivered by an insulin pump from up to 300 feet away. 23 KEY PLAYERS 24 8

9 Key Players Develop devices Financial interest in success=sales Purchase, develop, research Manufacturers Hospitals Patients Physicians Recipients and users Not merely bystanders Prescribe, purchase, research 25 KEY REGULATIONS 26 Key Regulations Health Insurance Portability and Accountability Act of 1996 FDA medical device manufacturing requirements FDA research regulations Common Rule Protection of human subjects Consumer protection FTC and state attorneys general stops unfair, deceptive and fraudulent business practices civil lawsuits 27 9

10 Current Regulatory Process Step One: Device Classification Class I, II, III Step Two: Identify Appropriate Path 510(k) (Premarket Notification) PMA (Premarket Approval) De Novo (Evaluation of Automatic Class III Designation) HDE (Humanitarian Device Exemption) Step Three: Prepare Information for Submission Design Controls, Nonclinical Testing, Clinical Evidence, Labeling Step Four: Send Information to FDA Step Five: Complete Registration and Device Listing 28 Development of Medical Devices FDA classification Class I, Class II, Class III Investigational Device Exemption (IDE) Regulatory review Premarket Approval (PMA) High risk devices that pose a significant risk of illness or injury, or devices found not substantially equivalent to Class I and II predicate through the 510(k) process. More involved and includes the submission of clinical data to support claims made for the device. Premarket notification (510k) Demonstrate that the device is substantially equivalent to one approved : (1) before May 28, 1976; or (2) to a device that has been determined by FDA to be substantially equivalent. Quality Control Post-approval studies or reports Adverse events, MAUDE Mobile devices to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated medical device. 29 Device Classes Class I Class II Class III Most (74%) are exempt from 510(k) Most require 510(k) Most require PMA Low risk 47% of devices Higher risk 43% of devices Generally highest risk Subject to the highest level of regulatory control

11 Medical Devices Premarket Notification (510(k)) Made to FDA to demonstrate that the device to be marketed is at least as safe and effective, that is, substantially equivalent, to a legally marketed device (21 CFR (a)(3)) that is not subject to PMA. Requires demonstration of substantial equivalence to another legally U.S. marketed device. Substantial equivalence is established with respect to intended use, design, energy used or delivered, materials, chemical composition, manufacturing process, performance, safety, effectiveness, labeling, biocompatibility, standards, and other characteristics, as applicable. 31 Medical Devices Premarket Approval (PMA) PMA is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices. Four-Step Process at FDA administrative and limited scientific review for completeness; in-depth scientific, regulatory, and Quality System; review and recommendation by the appropriate advisory committee; and final deliberations/decision. Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Requires documentation to demonstrate the safety and effectiveness of the device. If the device contains software or is controlled by a computer, the submission should contain documentation of software development and validation appropriate to the level of risk of the software. 32 Investigational Device Exemption (IDE) An investigational device exemption (IDE) allows the investigational device to be used in a clinical study in order to collect safety and effectiveness data. Clinical studies are most often conducted to support a PMA. Only a small percentage of 510(k)s require clinical data to support the application

12 Investigational Device Exemption (IDE) Clinical evaluation of devices that have not been cleared for marketing requires: an investigational plan approved by an IRB; approval by FDA if study involves a significant risk device; informed consent from all patients; labeling stating that the device is for investigational use only; monitoring of the study and; required records and reports. Good Clinical Practices (GCP) must be complied with while conducting a clinical study. 34 Current Regulatory Process Step One: Device Classification Class I, II, III Step Two: Identify Appropriate Path 510(k), PMA, De Novo, HDE Step Three: Prepare Information for Submission Design Controls, Nonclinical Testing, Clinical Evidence, Labeling Step Four: Send Information to FDA Step Five: Complete Registration and Device Listing 35 Preparing Information for FDA Step Three: Prepare Information for Submission Design Controls. Design validation Includes software validation and risk analysis, where appropriate. Nonclinical Testing Clinical Evidence Labeling 36 12

13 Design Controls Scope All manufacturers (including specification developers) of Class II and III devices and select Class I devices are required to follow design controls [ ] during the development of their device. The design control requirements are basic controls needed to ensure that the device being designed will perform as intended when produced for commercial distribution. 21 C.F.R (g) Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the [design history file]. 37 Recent FDA Guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2014). This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Applicable devices that contain software as well as software that is a medical device Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR (g). The Agency recommends that medical device manufacturers consider the following cybersecurity framework core functions to guide their cybersecurity activities: Identify, Protect, Detect, Respond, and Recover. 38 Recent FDA Guidance Design validation shall include software validation and risk analysis, where appropriate. The approach should appropriately address the following elements: Identification of assets, threats, and vulnerabilities; Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; Assessment of the likelihood of a threat and of a vulnerability being exploited; Determination of risk levels and suitable mitigation strategies; Assessment of residual risk and risk acceptance criteria

14 Recent FDA Guidance Identify and Protect The extent to which security controls are needed will depend on the device s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach. Detect, Respond, and Recover Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use; Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event; Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised; Provide methods for retention and recovery of device configuration by an authenticated privileged user. 40 Recent FDA Guidance In the premarket submission [not just PMA], manufacturers should provide the following information related to the cybersecurity of their medical device: 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: A specific list of all cybersecurity risks that were considered in the design of your device; A specific list and justification for all cybersecurity controls that were established for your device. 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered; 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity. 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall). 41 Impact of FDA Guidance Application to Research Manufacturers may also consider applying the cybersecurity principles described in this guidance as appropriate to Investigational Device Exemption submissions and to devices exempt from premarket review. Documentation Cost 42 14

15 Weaknesses in Current Process Guidance is weak and the potential consequences are very high Ad hoc reviews of cybersecurity are insufficient Transfer of responsibilities when the product goes to market is unclear Significant, overlapping liability Gaps in the regulation 43 Regulations Gaps? HIPAA patient information What if a device is accessed but patient information is not accessed or breached? FDA safety efficacy of medical devices Common Rule protection of human subjects in research FTC consumer protection 44 Natural Path of Regulation Current regulation Revised regulation Industry modification Hard guidance Technology & industry Improvement You are here Soft guidance Regulatory ambiguity 45 15

16 Other Regulations: HIPAA Application Does not typically apply to manufacturers Applies to covered entities: hospitals, physicians Remember FDA definition of cybersecurity HIPAA obligations must be observed even during research 46 Other Regulations: HIPAA HIPAA Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R Required Considerations [OCR Security Rule Guidance 2010] An organization must identify where the e-phi is stored, received, maintained or transmitted. Organizations must identify and document reasonably anticipated threats to e-phi. Organizations should assess and document the security measures an entity uses to safeguard e-phi, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. 47 Other Regulations: HIPAA Research authorization requirements When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. 45 C.F.R Breach of Unsecured PHI [T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information. A covered entity must notify the individual(s), the OCR, and possibly the media

17 Allocation of liability in research Regulatory, Civil, Contract, Costs (development/research) How is liability identified and allocated? Contracts, clearer regulation, transparent guidance, case law Unified industry 49 Research Considerations Hospitals and Manufacturers Informal FDA guidance to hospitals and manufacturers: Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including: Network-connected/configured medical devices infected or disabled by malware; The presence of malware on hospital computers; Uncontrolled distribution of passwords; Failure to provide timely security software updates and patches to medical devices; Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access. The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time. 50 Research Considerations Hospitals and Manufacturers FDA recommendations to device manufacturers: Take steps to limit unauthorized device access to trusted users only[sic]. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device s critical functionality, even when security has been compromised, known as fail-safe modes. Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery

18 Research Considerations Hospitals and Manufacturers FDA recommendations to health care facilities: Evaluate your network security and protect your hospital system. Restrict unauthorized access to the network and medical devices connected to the network. Make certain appropriate antivirus software and firewalls are upto-date. Monitor network activity for unauthorized use. Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services. Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. Develop and evaluate strategies to maintain critical functionality during adverse conditions. 52 Research Considerations Understanding Liability Will the Manufacturer notify the hospital of cybersecurity issues? What if the device is breached or used to breach the hospital s network? What if the hospital was notified of an update and does not perform it (or doesn t perform it accurately)? What if a device stops functioning and a patient is physically injured? What if patient information is taken directly from the device? 53 Incident Response Activities of hospital, PI, and Manufacturer overlap Source: Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (Oct. 2009), ICS- CERT 54 18

19 Research Considerations Key Contract Terms Duties and Responsibilities Confidential or Proprietary Information Indemnification Scope of indemnification Extend of control (Investigations, lawsuits) Compensation for Subject Injury Insurance Does it cover breach issues? Reporting obligations From hospital/pi to Manufacturer Adverse event; device deficiency From Manufacturer to hospital/pi (e.g., security discoveries) 55 Indemnification What costs, claims, damages, etc. of the hospital and/or PHI will be paid for by the manufacturer? HIPAA, injury, privacy 56 Research Considerations Due Diligence Information requested from the manufacturer Communication to patients Training provided by manufacturer Updated security risk analysis Certificates of insurance IT contacts Other 57 19

20 Research Considerations Dedicated Personnel Understand the devices Understand the liability and incentives through the research process Has knowledge of the transfer and use issues from the manufacturer to the patient 58 20