medical devices

Next cyberattack target? Medical devices

Posted by

0


Enemies of the United States who seek to take down the country in a cyberattack could soon target the health care industry.

New reports warn that, following a spate of localized cyberattacks against health care facilities, federal officials and health systems are concerned that the next cyberattack target will be medical devices, including those in hospital rooms, at imaging centers and even inside patients’ homes.

“Hackers have especially targeted health systems for their valuable troves of patient data and in some cases have temporarily knocked systems offline, disrupting patient care,” Axios reported about the matter.

“But there are also a range of medical devices – such as MRIs, ventilators and pacemakers – that are potential targets, particularly when it comes to aging devices with outdated software.”

Though the cyberattack threat to medical devices is still largely theoretical, experts like Toby Gouker, an executive at privacy and security firm First Health Advisory, believe that it is only a matter of time before hackers figure out a way to break them virtually.

“It’s a real Achilles’ heel and a blind spot for health systems,” Gouker is quoted as saying. “What makes more money in a hospital than anything else? If you bring an MRI down, you can take a lot of health systems to their knees.”

(Related: Some people believe that communist China is planning a cyberattack to take down America.)

Government watchdog calls on FDA to expand cybersecurity of medical devices

The U.S. Government Accountability Office (GAO) is calling on the U.S. Food and Drug Administration (FDA), which oversees medical devices, to work more closely with the Cybersecurity and Infrastructure Security Agency to coordinate cybersecurity and medical devices in advance of a potential attack.

Both agencies have responded to the GAO’s call positively, stating that they, too, believe more needs to be done to protect medical devices from hacking attempts.

The GAO produced a report that says the vulnerabilities inherent to medical devices “still pose risks to hospital networks – and patients.”

As of last March, a new law requires all medical device manufacturers to submit plans for how to address any cybersecurity vulnerabilities inherent to their products. That law does not, it is important to note, affect any connected devices that are already on the market.

“Everything from your hospital bed to your infusion pump next to the bed, to the monitor next to the bed that’s measuring, monitoring your vitals, they’re all connected,” said Chelsea Arnone, director of federal affairs for the College of Healthcare Information Management Executives.

“Everything is online … so they’re all ostensibly hackable.”

Because many medical devices incorporate off-the-shelf software that, like all other software, is vulnerable to threats like viruses and “worms,” it is important that medical device manufacturers pay mind to this threat early on to avoid potential hacking problems later on down the road.

Up until the new law took shape and was signed into law, most medical device manufacturers offered little to no support in providing patches or other cybersecurity solutions to their customers, especially for older medical devices that no longer hold “blockbuster” status.

The name of the game for the medical device industry, just like with the pharmaceutical industry, is profits. And providing constant software support for older products means fewer profits, hence the need for legislation to force these companies to do the right thing.

One recent incident that illustrates the problem occurred in Russia after a hacker found a backdoor into a hospital’s medical device. The hospital was unable to take the product offline in order to isolate the problem, and when its employees contacted the company for assistance, they were told there is no fix.

“It’s just old school,” Arnone said about the incident. “You’re calling someone on the phone and waiting and trying to get the right person who can help you. It’s like the worst kind of customer support.”

Paediatric regenerative medicine

Posted by

0


Executive Summary

Regenerative medicine encompasses cell and gene therapies, stem cell biology, medical devices and artificial organs, biomaterials and polymer design, and tissue engineering. These innovations are fuelling progress in disease modelling and new therapies for congenital and incurable paediatric diseases. Prenatal approaches such as stem and progenitor cell therapies and genetic engineering present unique opportunities associated with substantial biotechnical, medical, and ethical obstacles. Postnatal approaches such as tissue scaffolds and in-vivo gene therapies are emerging as viable alternatives for congenital and acquired disorders requiring tissue and organ replacement. The successful delivery of regenerative medicine to paediatric patients will require its full integration into clinical practice.

Summary

This two-paper Series focuses on recent advances and applications of regenerative medicine that could benefit paediatric patients. Innovations in genomic, stem-cell, and tissue-based technologies have created progress in disease modelling and new therapies for congenital and incurable paediatric diseases. Prenatal approaches present unique opportunities associated with substantial biotechnical, medical, and ethical obstacles. Maternal plasma fetal DNA analysis is increasingly adopted as a noninvasive prenatal screening or diagnostic test for chromosomal and monogenic disorders. The molecular basis for cell-free DNA detection stimulated the development of circulating tumour DNA testing for adult cancers. In-utero stem-cell, gene, gene-modified cell (and to a lesser extent, tissue-based) therapies have shown early clinical promise in a wide range of paediatric disorders. Fetal cells for postnatal treatment and artificial placenta for ex-utero fetal therapies are new frontiers in this exciting field.

Summary

Paper 2 of the paediatric regenerative medicine Series focuses on recent advances in postnatal approaches. New gene, cell, and niche-based technologies and their combinations allow structural and functional reconstitution and simulation of complex postnatal cell, tissue, and organ hierarchies. Organoid and tissue engineering advances provide human disease models and novel treatments for both rare paediatric diseases and common diseases affecting all ages, such as COVID-19. Preclinical studies for gastrointestinal disorders are directed towards oesophageal replacement, short bowel syndrome, enteric neuropathy, biliary atresia, and chronic end-stage liver failure. For respiratory diseases, beside the first human tracheal replacement, more complex tissue engineering represents a promising solution to generate transplantable lungs. Genitourinary tissue replacement and expansion usually involve application of biocompatible scaffolds seeded with patient-derived cells. Gene and cell therapy approaches seem appropriate for rare paediatric diseases of the musculoskeletal system such as spinal muscular dystrophy, whereas congenital diseases of complex organs, such as the heart, continue to challenge new frontiers of regenerative medicine.

Source:Lancet

FDA allows marketing of new device to help the blind process visual signals via their tongues

Posted by

0


The Food and Drug Administration today allowed marketing of a new device that when used along with other assistive devices, like a cane or guide dog, can help orient people who are blind by helping them process visual images with their tongues.

The BrainPort V100 is a battery-powered device that includes a video camera mounted on a pair of glasses and a small, flat intra-oral device containing a series of electrodes that the user holds against their tongue. Software converts the image captured by the video camera in to electrical signals that are then sent to the intra-oral device and perceived as vibrations or tingling on the user’s tongue. With training and experience, the user learns to interpret the signals to determine the location, position, size, and shape of objects, and to determine if objects are moving or stationary.

“Medical device innovations like this have the potential to help millions of people,” said William Maisel, M.D., M.P.H., deputy director for science and chief scientist in the FDA’s Center for Devices and Radiological Health. “It is important we continue advancing device technology to help blind Americans live better, more independent lives.”

According to the National Institutes of Health’s National Eye Institute (NEI), in 2010 more than 1.2 million people in the United States were blind. NEI projects that number of Americans who are blind will rise to 2.1 million by 2030 and 4.1 million by 2050.

The FDA reviewed the data for the BrainPortV100 through the de novo premarket review pathway, a regulatory pathway for some low- to moderate-risk medical devices that are not substantially equivalent to an already legally-marketed device.

Clinical data supporting the safety and effectiveness of the BrainPort V100 included several assessments, such as object recognition and word identification, as well as oral health exams to determine risks associated with holding the intra-oral device in the mouth. Studies showed that 69 percent of the 74 subjects who completed one year of training with the device were successful at the object recognition test. Some patients reported burning, stinging or metallic taste associated with the intra-oral device. There were no serious device-related adverse events.

BrainPort is manufactured by Wicab, Inc., in Middleton, Wisc.

The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.

Pacemakers Get Hacked On TV; Could It Happen in Real Life?

Posted by

0


Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.

He’s also a diabetic, and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.

“I’d rather stab myself six times a day with a needle and syringe,” Radcliffe recently told security experts meeting near Washington, D.C. “At this point, those devices are not up to standard.”

Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors and scanners is growing as health care facilities increasingly rely on devices that connect with each other, with hospital medical record systems and —directly or not — with the Internet.

Radcliffe made headlines in 2011 by showing a hackers’ convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.

While there have been no confirmed reports of cyber criminals  gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to a Reuters report. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.

“The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet,” said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.

The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system — especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.

In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.

“There are not that many bad…guys whose goal in life is to go and randomly mess with patients in hospitals,” Hoyme said. “They want money, not to shut off the ventilator of a particular patient.”

Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information, to diagnosis codes and health insurance policy numbers.

Radcliffe estimates that medical identity information is worth 10 times more than credit card information —about $5 to $10 per record on the black market compared to 50 cents per account for credit card information.

Crooks can use it to apply for credit, file fake claims with insurers or buy drugs and medical equipment that can be resold.

And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.

New FDA Guidelines

Yet there are few cybersecurity standards for medical devices.

In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.

The guidelines, which aren’t binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.

They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.

While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.

Nonetheless, the FDA’s guidance has, in effect, changed the conversation among device makers from, “‘Do I believe this is a real threat?’ to ‘What do I have to do to satisfy the FDA?’” said Hoyme.

By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.

Common Vulnerabilities

One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won’t be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it’s easily accessible to medical staff in an emergency.

Hackers can also get into some inadequately protected hospital systems when staff members click on links in emails, not knowing they contain malicious code. Once transmitted to a hospital’s intranet, that malware could find its way into unprotected device software and cause malfunctions, said Hoyme and Fu.

“If cyber criminals decide they can hack into a device to get health records, they won’t think about whether they’re messing with device performance: They’re going after the money,” Hoyme said.

Security experts warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.

“If your iPhone is compromised, it’s a lot more straightforward for someone to determine if it’s been tampered with. We’re not there yet” with medical devices, said Billy Rios, a former Google software engineer turned security consultant.

He describes how he was able to buy a secondhand EKG machine, used to measure the heart’s electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.

“The effort required is so much lower,” he says. “That’s not a good position to be in.”

What Hospitals Are Doing

Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.

In a two-year test of information security, experts working for Essentia, a large Midwestern health system, found that many devices were hackable. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks and that medical records could be changed.

Stephen Curran, acting director of the Division of Resilience and Infrastructure Coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity.  But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including “routine backups and patching of the systems and the use of anti-virus firewalls.”

Still, while “we definitely see a trend in hospitals to improve their security,” says Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.

“The bigger issue is that vendors are not held accountable for writing insecure code,” says researcher Rios. “There’s no incentive…so they don’t invest.”

Pressure On Vendors

A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.

At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital’s security team, headed by Lessley Stoltenberg, chief information security officer.

He says device makers also will have to meet a slew of security requirements: Can the device be encrypted?  Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?

Some companies, like Ahmadi’s Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.

While Codenomicon has a number of device makers as customers, those are a fraction of the more than 6,500 medical device manufacturers in the U.S., some of which may not be doing even the most basic testing. Most vendors are small — 80 percent have fewer than 50 employees — and many are startups without the capital to invest in a security expert.

So, could hackers target infusion pumps or ventilators?

“Is it possible?” Stoltenberg mused. “Yes. Is it likely? No.  No device in the world is absolutely 100 percent secure.”

Pacemakers Get Hacked on TV, but Could It Happen in Real Life?

Posted by

0


Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.

He’s also a diabetic and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.

“I’d rather stab myself six times a day with a needle and syringe,” Radcliffe recently told security experts meeting near Washington, D.C. “At this point, those devices are not up to standard.”

Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors, and scanners is growing as healthcare facilities increasingly rely on devices that connect with each other, with hospital medical record systems and — directly or not — with the Internet.

Radcliffe made headlines in 2011 by showing a hackers’ convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.

While there have been no confirmed reports of cyber criminals gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to a Reuters report. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.

“The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet,” said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.

The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system — especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.

In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.

“There are not that many bad … guys whose goal in life is to go and randomly mess with patients in hospitals,” Hoyme said. “They want money, not to shut off the ventilator of a particular patient.”

Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information to diagnosis codes and health insurance policy numbers.

Radcliffe estimates that medical identity information is worth 10 times more than credit card information — about $5 to $10 per record on the black market compared with 50 cents per account for credit card information.

Crooks can use it to apply for credit, file fake claims with insurers, or buy drugs and medical equipment that can be resold.

And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.

New FDA Guidelines

Yet there are few cybersecurity standards for medical devices.

In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.

The guidelines, which aren’t binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.

They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.

While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.

Nonetheless, the FDA’s guidance has, in effect, changed the conversation among device makers from, “‘Do I believe this is a real threat?’ to ‘What do I have to do to satisfy the FDA?'” said Hoyme.

By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.

Common Vulnerabilities

One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won’t be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it’s easily accessible to medical staff in an emergency.

Hackers can also get into some inadequately protected hospital systems when staff members click on links in emails, not knowing they contain malicious code. Once transmitted to a hospital’s intranet, that malware could find its way into unprotected device software and cause malfunctions, said Hoyme and Fu.

“If cyber criminals decide they can hack into a device to get health records, they won’t think about whether they’re messing with device performance: They’re going after the money,” Hoyme said.

Security experts warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.

“If your iPhone is compromised, it’s a lot more straightforward for someone to determine if it’s been tampered with. We’re not there yet” with medical devices, said Billy Rios, a former Google software engineer turned security consultant.

He describes how he was able to buy a secondhand EKG machine, used to measure the heart’s electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.

“The effort required is so much lower,” he says. “That’s not a good position to be in.”

What Hospitals Are Doing

Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.

In a 2-year test of information security, experts working for Essentia, a large Midwestern health system, found that many devices were hackable. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks, and that medical records could be changed.

Stephen Curran, acting director of the Division of Resilience and Infrastructure Coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity. But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including “routine backups and patching of the systems and the use of anti-virus firewalls.”

Still, while “we definitely see a trend in hospitals to improve their security,” says Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.

“The bigger issue is that vendors are not held accountable for writing insecure code,” says researcher Rios. “There’s no incentive … so they don’t invest.”

Pressure on Vendors

A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.

At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital’s security team, headed by Lessley Stoltenberg, chief information security officer.

He says device makers also will have to meet a slew of security requirements: Can the device be encrypted? Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?

Some companies, like Ahmadi’s Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.

While Codenomicon has a number of device makers as customers, those are a fraction of the more than 6,500 medical device manufacturers in the U.S., some of which may not be doing even the most basic testing. Most vendors are small — 80 percent have fewer than 50 employees — and many are startups without the capital to invest in a security expert.

So, could hackers target infusion pumps or ventilators?

“Is it possible?” Stoltenberg mused. “Yes. Is it likely? No. No device in the world is absolutely 100% secure.”