Editor's Note: In a recent two-part webinar for Bloomberg BNA, Manatt examined the most significant legal developments that life sciences companies need to watch in the year ahead. In an ongoing series of articles, we'll be sharing some of the key issues explored during the program—and guidance on navigating safely through an increasingly complex healthcare landscape. Below we summarize the presentation on wearables, devices and cybersecurity. If you'd like to view the webinar free on demand, click here to access Part 1 and here to access Part 2. If you would like a copy of the presentations for your continued reference, click here to download a free PDF.
__________________________________________________
The Vulnerability of Healthcare Information
According to a report the Brookings Institute issued in May 2016, 23% of all data breaches occur in the healthcare industry. Nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the industry $6.2 billion.
Why is healthcare data so vulnerable? Because it is so valuable. It contains a wide range of identifying information, including social security numbers, birthdates and home addresses. Unlike credit card information, much of this information is constant and can't be changed. In addition, it's information that's kept across a number of years and increasingly shared across different entities.
Legal Mandates to Address Security Issues
There are a number of legal mandates in place to address the security issues around healthcare information. The first and probably best known is the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting electronic health information. In addition, we have the Health Information Technology Certification Program, administered by the Office of the National Coordinator for Health Information Technology (ONC), that allows health IT projects to be certified based on standards adopted via regulation by the Department of Health and Human Services (HHS). Finally, there is the Food and Drug Administration's (FDA) premarket review and approval process for medical devices, which focuses on medical device cybersecurity.
It's important to recognize that the existing mandatory guidance is limited. Supplementing the mandatory guidance is a fair amount of nonmandatory guidance relating specifically to wearables, mobile apps and connected medical devices. For example, in October 2015, the Office of Civil Rights (OCR)—which is the office that oversees HIPAA—released an in-house mHealth Developer Portal, a community-based portal that lets developers post HIPAA-related questions. In February 2016, the OCR published informal guidance clarifying when mobile apps are subject to HIPAA. In addition, in April 2016, the Federal Trade Commission (FTC) released a set of Web-based interactive tools to help mobile app developers navigate current laws and regulations.
Despite the legal framework the existing guidance has established, there are still many questions around the legal requirements that apply to wearables and mobile devices. For example, when and how does HIPAA apply to mobile apps? Is an app that lets patients communicate with their healthcare providers covered by HIPAA, if the provider didn't recommend the app? The answers aren't always clear. This is an evolving area, with a lot more guidance likely to come going forward.
Cybersecurity Risks of Connected Medical Devices
Connected medical devices are devices that transmit information to and from the Internet, hospital IT systems or each other. For example, a heart monitor that connects to an electronic health record or an infusion pump with remote dosage controls would be classified as a connected medical device.
Connected medical devices face a number of cybersecurity pitfalls. While electronic health records are certified, other types of medical software products tend not to be, leaving them vulnerable to hacking. While there have been no reports of injury or death resulting from hacking into connected medical devices, the threat is definitely real.
Connected medical devices also can pose HIPAA challenges. HIPAA applies to protected health information (PHI) regardless of where it's stored. Therefore, when a medical device is disposed of, it needs to be wiped or destroyed to eliminate the possibility of disclosing PHI. While healthcare providers are very focused on ensuring that they wipe PHI from computers, they are not always as vigilant about PHI stored on medical devices.
Exacerbating the security risk is the fact that medical devices purchased by hospitals don't have updates intended to protect security. As we grow increasingly more interconnected, healthcare organizations need to start thinking about including requirements on securability for the lifetime of a device in their procurement specifications to mitigate some of the security risks.
Connected Medical Devices and Recent Regulatory Actions
Over the last few years, we've witnessed an explosion of attention around the cybersecurity risks that connected medical devices can pose and the resulting threat to patient safety. There have been increasing research, regulatory guidance, warnings and speculation about the ability of hackers to take control of medical systems to hurt or kill patients. While there have been no actual cases of injuries or deaths caused by hacking, it looms as a frightening possibility.
A 2012 episode of the television program Homeland featured a character hacking into the pacemaker of the fictional vice president. When interviewed about the episode, former vice president Dick Cheney revealed that toward the end of his administration's second term, the Secret Service recommended that his doctors disable the wireless capabilities in his own pacemaker because of the potential threat to his safety.
The private sector has started to pay attention to the possible serious risks of medical device hackers. In 2013, the Mayo Clinic engaged some of the most high-profile, sought-after "white hat" hackers to conduct a study of medical devices. "White hat" hackers are hackers hired by private companies to attempt to hack into their own devices, so that the companies can identify their cybersecurity vulnerabilities.
The "white hat" hackers worked on about 40 different medical devices, including cardiac monitors, infusion pumps and even hospital beds, which sometimes connect to hospital networks and electronic networks. The final report showed that, in a significant number of cases, the hackers could crush the security on the devices and gain control in some form. The most alarming finding was that one of the hackers was able to gain control of a particular brand of infusion pump and remotely cause it to deliver a potentially lethal dose of medication. Again, that is not something that's been reported to have ever actually happened, but having discovered that he could do it, the hacker reported his result to Homeland Security.
In 2014, the press revealed that Homeland Security was engaged in its own study of various medical device vulnerabilities through its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. In July 2015, Homeland Security, working in collaboration with the FDA, became concerned about the particular infusion pump that the hacker had identified. After a series of warnings and communications with the manufacturer and, in turn, with hospitals and providers, the FDA eventually recommended a recall and stopped usage of that particular infusion pump. Again, nothing actually happened—but the threat was real enough for the FDA to stop the use of that brand of device.
The increasing concerns around cybersecurity have resulted in largely nonbinding guidance and recommendations. For example, the FDA now reviews cybersecurity issues for medical devices as part of the premarket submissions it receives—whether for premarket approval applications or, more commonly, 510K applications for new versions of devices that are currently on the market.
Although the guidance the FDA has issued is nonbinding, it provides instructions to device manufacturers on what sort of information they need to include with their general free market submissions regarding their cybersecurity measures. The FDA is asking manufacturers to ensure their submissions identify any potential threats, quantify those threats and define what mitigation steps they're planning to implement.
In January 2016, the FDA issued more interesting and more ambitious postmarket guidance. The guidance asks medical device manufacturers to identify cybersecurity threats in the same way that they identify the efficacy and risk issues of their devices in the postmarket setting. The FDA is requesting that manufacturers ensure the quality audits that current regulations require include cybersecurity issues and reporting of problems and complaints to the FDA.
Although this is nonbinding guidance, it includes a promise by the FDA that it will not enforce certain reporting requirements for device manufacturers that participate in an information exchange through the National Health Information Sharing & Analysis Center, or the NH-ISAC. The NH-ISAC is an information exchange portal that allows device manufacturers and others to share information in a forum that is actually privileged by statute to a certain degree. The FDA has stated in its guidance that it strongly recommends that companies participate in information exchange portals.
Congressional Prospects
There have been some congressional actions to address mounting concerns around cybersecurity risks. California Senator Barbara Boxer sent a letter to leading medical device manufacturers expressing her concerns about cybersecurity vulnerabilities and asking them to describe the steps they're taking to address the threat of cybersecurity vulnerabilities.
There are also several pieces of legislation that are in front of Congress right now, including the TRUST IT Act, which would basically set up a star ratings program for federally certified electronic health record (EHRs). Other legislation includes:
- The Cybersecurity Disclosure Act, which would direct the SEC to require public companies to disclose whether they have any cybersecurity experts on their boards.
- The HHS Data Protection Act, with bipartisan support, that creates a separate office for the HHS Chief Information Security Officer (CISO).
Conclusion
In the end, the question remains as to whether more enforcement is the right approach. The Brookings Institute released a report saying that helping healthcare organizations prevent cyberattacks, instead of punishing those affected by them, would be a much more effective approach. The bottom line is that this is a rapidly evolving area that's changing very quickly, so it will be critical to stay tuned.