It is unfortunate but true — medical devices connected to a network can be attacked by computer hackers.
And most medical device companies are relatively small, juggling the tasks of perfecting new device designs and finding money to keep the lights on.
With their focus on making new devices work as intended, ensuring that hackers can’t take those devices over is an extra burden that is simply not being met by many companies today, according to experts at Minneapolis-based cybersecurity firm Adventium Labs.
“The average size of a medical device company is under 50 people. ... It’s very unlikely they have a security expert on staff. And if they do, it’s probably an IT security expert, which is not the same thing,” said Todd Carpenter, chief engineer with Adventium, which has 32 employees and headquarters along the Mississippi.
Adventium is trying to find ways to help smaller firms address big cyber-challenges. It is using federal grants to develop software that will be offered on an open-source basis to tech companies, including medical technology start-ups, to improve early stage cybersecurity and ensure devices can quickly adapt to future threats that can’t be predicted yet. “Open source” means free, but essentially without warranty.
Late last month, the company announced it received $1 million from the U.S. Army to develop software that analyzes whether devices create unexpected vulnerabilities when networked, which can happen even when each individual device is considered secure. That project is called the Safety and Security Co-Analysis Tool Environment, or SSCATE.
Also in the works is the ISOSCELES program, funded with $2.2 million from the Homeland Security Department, to demonstrate how to build a safe and secure system that protects devices by separating their discrete functions while complying with Food and Drug Administration guidelines. Finally, the U.S. Defense Department is providing $750,000 for a tool known as TEEE, which will make it easier for long-lived systems including medical devices to adapt to emerging threats.
“We have hundreds of medical device companies just in Minnesota. If we can get them on better footing, and get them through the FDA faster, we will see more of those innovations in the market,” Carpenter said. He noted companies hoping to get acquired can improve their chances by thinking about cybersecurity from the very beginning.
The FDA has nonbinding rules encouraging devicemakers to consider cybersecurity issues when designing devices and submitting them for approval.
Advocates for industry point out there has never been a documented case of a successful malicious cyberattack on a medical device with the intent to physically hurt a patient. Hospitals are targeted by “ransomware” hackers, but such attacks typically happen through e-mail.
“We can look at instances of cybersecurity attacks on political organizations, insurance records, hospital systems. You’re not doing stories about cybersecurity attacks on medical devices, because there haven’t been any that have been successful,” Shaye Mandle, CEO of the Medical Alley Association trade group. “The cybersecurity threat to medical devices is an unrealized threat.”
Yet critics of the industry see a need to prioritize cybersecurity in the earliest design stages.
Justine Bone, the chief executive of Florida-based MedSec Holdings, said the tools under development at Adventium are a potential step in that direction. MedSec is the firm that identified and helped publicize vulnerabilities in pacemakers and implantable defibrillators made by then-Minnesota-based St. Jude Medical.
Bone said tools like SSCATE will make it easier for hospitals and health care providers to check the security of devices.
“It’s the manufacturers who must take responsibility for maintaining and producing quality, secure products, but their customers (e.g. hospitals) can help achieve that with the availability of security analysis technologies such as these,” Bone said via e-mail. She has no affiliation with Adventium.
St. Jude, which was acquired Jan. 4 by Abbott Laboratories, has staunchly defended the security of its heart devices and its ongoing cybersecurity efforts.
On Jan. 9, the FDA confirmed that St. Jude’s home-monitoring system for pacemakers and defibrillators contained a cyber-vulnerability, and St. Jude rolled out a software security update. Since 2015, Homeland Security’s Industrial Control Systems Cyber Emergency Response Team has issued advisories for devices made by Johnson & Johnson, Baxter, CareFusion, Hospira, St. Jude and Smiths Medical.
Medical devices have unique constraints that make cyberdefense difficult, especially devices implanted in the body, which have to be small, battery-efficient and reliable for many years. Cybersecurity can’t add bulk, battery drain, or cost.
“If [they] make the device more expensive, fewer people will get the therapy. And that is not good,” Carpenter said. “So device makers have had to make trade-offs.”
And that’s if they’re considering the problem at all. Bob Cattanach, a Minneapolis partner with the law firm Dorsey & Whitney who specializes in cybersecurity and compliance, said start-up companies he’s worked with are focused on the functionality of their products.
“They are trying to get the device to work, and then get it through FDA testing and get it to market. That’s 99 percent of their focus,” he said. “Not to be critical. They just don’t have the resources to do everything all at once.”
The tools from Adventium won’t be available right away. The company intends to start showing its ISOSCELES platform later this year, perhaps at one of the Twin Cities med-tech conferences where smaller firms are likely to attend, Carpenter said.
Design and testing tools from SSCATE and TEEE are slated to be available in early 2019.
“These small companies are all about the diagnostics and therapies,” Carpenter said. “If you can slide in this capability underneath, that it is safe and secure, now they can do what they do best.”