Many people do not realize the cybersecurity risks associated with common medical devices, such as insulin pumps and pacemakers, but these medical devices can be prone to hacking and to errors, experts said at a meeting of the US Food and Drug Administration’s (FDA‘s) Patient Engagement Advisory Committee (PEAC) on September 10.
Physicians and healthcare providers may not know how to educate patients about these issues ― if they give patients too little information, patients may not understand when to get help with their device. If providers give the patient too much information or in language they don’t understand, patients may become unnecessarily anxious.
Hacking a Serious Problem
When most people envision someone hacking an electronic device, their first thought is not usually of a medical device such as an insulin pump, but at least two speakers at the advisory committee meeting described how easy it was to hack their own medical devices by reverse-engineering them.
One factor relates to how medical devices have changed over time. Many medical devices, including surgical laser systems, blood pressure cuffs, dialysis systems, and MRI machines, formerly were “standalone technologies implanted in patients or used in hospitals or clinics to diagnose, treat, or manage health conditions,” according to an FDA briefing document.
Now, many of these devices have a software component and are interconnected via wireless access networks and other networks. These factors increase the devices’ functionality, but they pose problems as well, including exposing patients’ private information and making errors the patient is unaware of, such as administering a wrong dose of insulin.
“In medical device cybersecurity, the risk is typically associated with an unauthorized person (threat) accessing the device(s) of one or more patients by exploiting a vulnerability (such as a security weakness in the device’s software or firmware). Examples include inappropriate pacing or shocks from a pacemaker or inappropriate dosing from an infusion pump,” according to the FDA briefing document.
Panel members discussed the types of information healthcare providers should tell patients, effective ways of communicating that information, and when and how to report problems with devices.
User-Friendly Approach Is Key
Committee members repeatedly said that many devices and the instructions that come with them are cumbersome and difficult to understand. Software updates and patches are needed to fix certain problems, but alerts to update devices such as cell phones occur frequently, and some users ignore alerts because they know that they will likely lose valuable information once they update their device.
Healthcare providers should use culturally appropriate language the patient understands and should use a translator if necessary. They should offer information in small portions to allow patients time to process and understand it. Healthcare workers should also consider using pictures and visual displays instead of words when possible.
The fact that it is impossible to predict which types of cybersecurity risks can affect a given medical device can make it more difficult for healthcare providers to have meaningful conversations about risks and benefits, but many patients prefer to have as much information as possible, one attendee said.
When to offer health education is just as important as how to deliver that information, a number of attendees said. For example, many patients will not remember information that is given to them when they are waking up from anesthesia or when they are stressed, afraid, or in pain.
In addition, patients’ preferences regarding communication methods vary: some prefer to make traditional telephone calls, others like to send text messages or emails, and some prefer to receive letters in the mail. Knowing a patient’s communication preference will help provide device warnings and alerts when needed and ensure the patient reads them.
Another factor to consider is that patients who live in rural areas may have limited access to the Internet, newer telephone technology, and telephone service providers.
Continuous Vigilance Needed
It is not always possible to anticipate problems or defects that may arise, because certain factors regarding cybersecurity risk are not known, several panelists said; therefore, constant vigilance for problems is necessary, as is timely, effective communication to users of medical devices regarding cybersecurity risks.
The most important factor regarding response to an attack, such as the May 2017 WannaCry ransomware attack, is planning. However, planning only for specific events is often ineffective, Natashia Tamari, associate director, Cybersecurity Incident Response, Becton Dickinson, said.
“We can take plans and make them for very specific scenarios, but that is not going to help us; we really have to make frameworks and take [into consideration] how do we communicate with each other and who needs to be in the room and what does the coordination look like, because that’s really going to be what’s key in preparing for these types of vulnerabilities,” Tamari explained.
In considering whether to issue a safety communication to the public regarding medical device cybersecurity, the FDA considers a number of factors, such as the likelihood that the device will be successfully exploited; how quickly such an attack could happen and the extent to which it could affect the patient population; and how much time it would take to initiate an effective countermeasure.
“For these reasons, FDA‘s communication approach regarding medical device cybersecurity has been anticipatory, forward-leaning and proactive as vulnerabilities are identified and verified before exploitation, and when there is a mitigation available, rather than waiting for a signal or indicator of harm to manifest,” according to the FDA briefing document.
Several attendees stressed the role of the FDA in protecting patients and of reaching all medical device users when there are problems with the device.
“The tactics matter as much as the principle of being timely in communication,” Patient Engagement Advisory Committee chair Paul T. Conway, American Association of Kidney Patients, Patient Advocacy, said at the meeting.
As important as prompt communication is when cybersecurity concerns regarding medical devices are identified, the FDA does not want to disclose such concerns prematurely, because it does not want to give information to individuals who might use it to cause harm.