OPINION:
Ransomware attacks make the news almost every day in a wide variety of industries. Attacks against medical facilities are among the most egregious. But ransomware attacks are (unbelievably) only part of the problem — the part of the iceberg above sea level.
Lurking beneath the splashy headlines of cyberattacks, there are patient safety risks caused by servicers who hack into medical devices under the guise of repair and maintenance. Whether wickedly intended or just reckless, this hacking presents a threat just as dangerous as ransomware attacks by professional hackers and is less likely to be appreciated by the medical device community, physicians, and patients who rely on such devices for lifesaving treatment.
The Food and Drug Administration states: “Cybersecurity is a widespread issue affecting medical devices connected to the Internet, networks, and other devices. Cybersecurity is the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”
In a recent FDA discussion paper, “Strengthening Cybersecurity Practices Associated With Servicing Medical Devices: Challenges and Opportunities,” the agency asks, “How can entities that service medical devices contribute to strengthening the cybersecurity of medical devices?”
According to the discussion paper, the FDA “defines service to be the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer (OEM) and to meet its original intended use.”
In other words, the first step in advancing medical device cybersecurity is to limit and ensure that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are regulated by FDA manufacturers.
But where you stand depends on where you sit. According to the U.S. PIRG, restrictions on repair information leave “hospital repair technicians, commonly known as ‘biomeds,’ without the tools they need to fix medical equipment as soon as it breaks. Instead, they have to wait days, weeks or even a month for a manufacturer-branded technician to travel onsite and make the repair well within the biomed’s capabilities. In the meantime, that broken ventilator can’t be used to deliver life-saving treatment to a patient.”
But can some perceived delay in repair speed ever justify hacking a medical device? “Facts,” as John Adams reminds us, “are pesky things.” Hacking is a covert activity, meaning our theoretically empowered watchdog regulators (such as those at the underfunded and understaffed Food and Drug Administration) will have no advance knowledge or awareness of these activities until something goes catastrophically wrong.
Similarly, manufacturers won’t have any visibility regarding who is accessing their devices or for what purposes. According to the FDA, “Designing devices to limit access only to privileged device users (“privileged access”) is a key component of ensuring a secure medical device.”
Quality is the glue that holds together our health care technology ecosystem, and the stalking horse issue of the “right to repair” has led to third-party servicers admitting to various coordinated, illegal schemes to circumvent medical device security that seek profit at the expense of patient safety and in defiance of regulatory guidance.
A number of district courts have noted such conduct violates federal and state laws, including claims under the federal Computer Fraud and Abuse Act. According to one judgment, enabling unlicensed software required one defendant “to hack into the systems and circumvent technological measures. This constitutes willful and unreasonable conduct that the Court determined is clearly motivated by an interest in profiting from copyrighted works without paying for expensive licenses.”
In another case, the court found: “Defendants have admitted to using software they developed to bypass Plaintiffs security, there can be no dispute that they have circumvented Plaintiff’s technological measures under the plain terms of the DMCA.” The Digital Millennium Copyright Act amended U.S. copyright law to address important parts of the relationship between copyright and the internet.
And most disturbingly, “Defendants intentionally accessed a protected computer and exceeded their authorized level of access.” These acts weren’t undertaken by cyber terrorists, but rather by competing companies for profit. As one judge put it, “This constitutes willful and unreasonable conduct that the Court believes it is appropriate to deter.”
Contrary to popular culture, hacking isn’t cool. It’s a crime.
Alas, such illegal activity isn’t surprising considering (1) the general and ill-informed consensus that right-to-repair legislation is risk-free and (2) there’s a lot of money to be made in circumventing the rules designed to protect patient safety. According to the FDA, “servicing” a regulated medical device means “the repair and/or preventive or routine maintenance of one or more parts in a finished device, after distribution, for purposes of returning it to the safety and performance specifications established by the original equipment manufacturer and to meet its original intended use.”
This also raises a crucial question: What’s become of hospital-based quality control? Who’s letting the hackers in? Is procurement talking to compliance? Cui bono? After all, these are the same hospitals that are willfully ignoring both federal and state legislation calling for increased hospital transparency on pricing for goods and services. Wither compliance?
The first step in both patient safety and cybersecurity is to limit and ensure that those who control repairs and maintenance of these highly sophisticated pieces of health care technology are regulated FDA manufacturers.
Judicial pronouncements of “summary judgment” in favor of device manufacturers are a welcome start, but more is needed. Absent comprehensive reform, greed and the low chance of getting caught still give disreputable (but inexpensive) right-to-repair chop shops incentive to continue their unsavory, unsafe and illegal behaviors. In the words of former President Barack Obama, “We didn’t become the most prosperous country in the world by rewarding greed and recklessness.” Amen.
• Peter J. Pitts, a former Food and Drug Administration associate commissioner, is president of the Center for Medicine in the Public Interest, a visiting scholar at the New York University School of Medicine, Division of Medical Ethics, and a visiting professor at the University of Paris School of Medicine.
Please read our comment policy before commenting.