Recently, Thompson Coburn’s Life Sciences Decoded blog described several FDA initiatives to increase the safety and reliability of the emerging connected device market and discussed data privacy as it pertains to medical devices. The FDA’s PreCert program aims to fast-track innovation while respecting product reliability and integrity and the agency’s Digital Health Plan provides the FDA with tools to encourage the development of reliable, connected and digital devices.
However, security issues with connected devices continue. On March 13, 2018, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is a part of the Department of Homeland Security, released an advisory notice about a vulnerability in GE-made medical devices. This alert deals with a vulnerability related to hard-coded default user credentials in these devices. Although, with manufacturer assistance, these default credentials can be changed, the vulnerability “may allow a remote attacker to bypass authentication and gain access to the affected devices.” The impacted devices are medical imaging and radiological systems, associated software applications, and workstations for viewing the generated imaging. As a result, this incident provides a good example on how such a vulnerability can impact a wide range of medical devices, both hardware and software.
ICS-CERT has worked with the National Institute of Standards and Technology (NIST) to provide individual vulnerability alerts for each of the impacted GE devices:
- CVE-2010-5306 has been assigned to the GE Optima 520, 540, 640, and 680.
- CVE-2009-5143 has been assigned to the GE Discovery NM530c.
- CVE-2013-7404 has been assigned to the GE Discovery NM750b.
- CVE-2014-7232 has been assigned to the GE Discovery XR656 and Discovery XR656 Plus.
- CVE-2010-5310 has been assigned to the GE Revolution XQ/i.
- CVE-2014-7233 has been assigned to the GE THUNIS-800+.
- CVE-2012-6693, CVE-2012-6694, CVE-2012-6695, and CVE-2013-7442 have been assigned to the GE Centricity PACS Server.
- CVE-2017-14008 has been assigned to the GE Centricity PACS RA1000 workstation.
- CVE-2011-5322 has been assigned to the GE Centricity PACS-IW.
- CVE-2007-6757 has been assigned to the GE Centricity DMS.
- CVE-2003-1603 has been assigned to the GE Discovery VH and Millennium VG.
- CVE-2001-1594 has been assigned to the GE eNTEGRA 2.0/2.5 Processing and Review Workstation.
- CVE-2010-5309 has been assigned to the GE CADstream.
- CVE-2010-5307 has been assigned to the GE Optima MR360.
- CVE-2017-14004 has been assigned to the GE GEMNet License server (EchoServer).
- CVE-2004-2777 has been assigned to the GE Image Vault 3.x.
- CVE-2017-14002 has been assigned to the GE Infinia / Infinia with Hawkeye 4.
- CVE-2002-2446 has been assigned to the GE Millennium MG / Millennium NC / Millennium MyoSIGHT.
- CVE-2012-6660 has been assigned to GE Precision MP/i.
- CVE-2017-14006 has been assigned to GE Xeleris 1.0/1.1/2.1/3.0/3.1.
Furthermore, ICS-CERT has determined that information about this risk is widely and publicly available. As a result, it is imperative that impacted device owners contact GE for information on remediating the issue. However, from a privacy perspective, there are additional concerns.
Risks of device compromise
Compromised connected medical devices pose significant risks to the companies that use them. Devices like those listed above create medical records tied to patients and if these records are available to an unauthorized user on a compromised system, these incidents may trigger a HIPAA-related breach requiring individual and HHS-OCR notification responsibilities. Furthermore, the compromise may impact the integrity and accuracy of the device’s performance, and as a result, could significantly impact patient treatment and safety.
The compromise may also extend beyond the device itself. Networked devices that are accessible to attackers may be a starting point from which they can pivot to attack other devices, servers or workstations on the network to collect data, compromise systems, devices, or launch ransomware attacks. Owners should consider the possibility that their device has been compromised and conduct a thorough internal review of their network’s settings, network traffic relating to the device, and any unauthorized remote connections to the device.
FDA addresses risk/privacy concerns as part of its Digital Health Program
The FDA has clearly stated that its Digital Health Program has been designed to not only allow for better disease management through information and patient participation but to create more efficient workflow and, therefore, more efficient clinical practices through the use of technology. The program is working to develop more secure pathways for patient and treatment information to avoid situations with medical software devices as is currently at issue with the GE technology, a device with a software component. This new risk-based approach by the FDA highlights concerns raised by data breaches/security lapses and through its guidance documents is helping the industry design an acceptable secure information sharing pathway. This is consistent with the mandates under the 21st Century Cures Act. In addition, the FDA is expected to issue further guidance within the first quarter dealing with its regulation of digital devices, what it will regulate and delineating further safety concerns. It will be interesting to see whether or not this GE issue will impact these guidances.
Thompson Coburn has teams of attorneys experienced not only in dealing with medical devices and medical device approval before the FDA, but also with institutional and device cybersecurity issues and responding to potential data security compromises. If you have any questions about these issues, or any other topic on Life Sciences Decoded, please do not hesitate to reach out to one of our team members.