A Q&A with Paul Otto of Hogan Lovells
Given recent events such as the 2017 WannaCry ransomware attack that affected more than 200,000 computers across 150 countries, concerns about data privacy and medical devices have come to the fore with increased scrutiny from regulators. To understand the risks medical devices pose and how companies are responding, we spoke to Paul Otto, senior associate of Hogan Lovells in Washington, DC.
What are the top data risks surrounding medical devices?
The baseline concern is the growing trend of adding connectivity to devices in general and medical devices in particular. There are good reasons to add connectivity to existing or not-yet developed devices, because these features carry a lot of benefits for operational efficiency and for supporting patient care. Connecting devices allows caregivers to gather more data throughout the lifecycle of care and make it accessible to partners to coordinate treatment. It also provides other opportunities for manufacturers to connect with patients and providers in new and previously unavailable ways. Yet the gathering and sharing of that data also brings new exposures with more pronounced threats. Unlike a server in a hospital system, devices present multiple points of vulnerability and access to the network, and can potentially put at risk not just patients’ privacy and personal safety but the security of every other entity connected to them—manufacturers of software, hardware and other vendors. With many more devices to protect and monitor, there are that many more opportunities for bad actors to exploit them—and this risk is growing exponentially. What we saw with WannaCry when large swaths of devices in hospitals across the United Kingdom were hit is that any environment is only as strong as its weakest link. While it’s difficult to anticipate the exact threat vectors coming along, we know that ransomware has proved profitable so bad actors will continue to innovate new ways to deploy it.
How serious is the risk to human safety and privacy?
There has not been a publicly reported case where negative health outcomes or death have been pinned to a cyber attack on a medical device. However, people have demonstrated that the possibility for harm is very real. Just because we have not seen people hurt doesn’t mean that they couldn’t be—perhaps we have just been lucky so far. Unlike, say, financial data theft, it can be difficult to quantify the effects of privacy risk with regard to medical devices. We do know that there is potential for blackmail, false insurance claims, medical identity theft and other concerns. From a regulatory perspective, there is an interest in how to weigh this potential impact in the aftermath of an attack.
What does the regulatory landscape currently look like and who are the enforcers?
As an agency focused on public health and patient safety, the Food and Drug Administration (FDA) has been very active over the past five years in particular in overseeing medical device cybersecurity. In the last month alone, the FDA has announced that it is updating its pre-market guidance to account in greater detail for cybersecurity risks such as ransomware. The FDA has been working across the whole health ecosystem to issue safety communications, alerts and advisories, highlighting device vulnerabilities that require an action such as a product recall. On the data security and privacy front, the Department of Health and Human Services Office for Civil Rights (OCR) has enforcement responsibilities for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), so while this agency is not focused on devices per se, it covers data from connected devices used throughout the health ecosystem. The Federal Trade Commission (FTC), which is our general data and privacy regulator in the U.S., has been holding workshops on connected devices. While it has not brought any cases specifically for connected medical devices and data loss, it’s very possible that it will – and its jurisdiction includes connected devices sold directly to consumers that may not be subject to FDA approval or OCR oversight. Finally, we are seeing a lot of activity from state attorneys general. They are bringing more investigations on behalf of their residents to encourage compliance with “reasonable” data security practices and privacy interests rooted in general consumer protection. While, again, there is not much specifically related to medical devices, this oversight is only ramping up and we expect that connected devices will come under scrutiny.
What advice do you have for companies developing and manufacturing medical devices?
There’s an ongoing need for risk management and assessment throughout the life cycle of these devices so it’s very important to build that into the process at the outset. It will help prevent incidents but also protect a company if there is a bad outcome and regulators come looking for documentation of reasonable security practices.
Insurance is getting a lot more attention as we see our clients looking closely at data loss events and whether they are covered by existing policies or would require additional cyber and privacy liability coverage. As we’ve seen, a single vulnerability can have significant and widespread consequences. In the case of WannaCry, hospitals were reverting back to paper processes, creating major upheaval. Clients want to get ahead of these risks which can prove catastrophic, but they also need to be aware that insurers may well impose their own requirements as a condition for coverage.
Finally, a number of organizations such as Underwriters Laboratory have come forward with a cybersecurity certification process for medical devices, which offers a set of standards and a baseline for risk management. Whether or not these certifications offer a benefit or limit legal liability is an interesting risk calculation in and of itself and the answer remains to be seen. This whole part of the landscape is evolving so we should all continue to pay attention to it.
Medical devices are transforming the point of care from a model of in-patient diagnostics and care to real-time diagnostics and monitoring in homes and other locations. Connectivity improves physicians’ abilities to gather data quickly and more efficiently, but as a result, expands the security and privacy footprint for personal and health data. At NetDiligence, we value the expertise that Paul Otto and Hogan Lovells bring to us as a leading firm in the healthcare space, and we look forward to their insights as this nascent cyber risk evolves.