Keeping hackers out of our medical devices

By Ben Leonard

Presented by Genentech

PROGRAMMING NOTE: Future Pulse won’t publish on Wednesday, Dec. 22 and 29. We’ll be back on our normal schedule on Wednesday, Jan. 5.

Cyberattacks have become a grim reality for hospitals and other health care institutions during the pandemic, in some cases disrupting patient care and scrambling operations. As the Food and Drug Administration’s resident expert in medical device security, Kevin Fu oversees efforts to fortify insulin pumps, heart pacemakers and thousands of other devices that can be compromised or exploited during a security breach — and factor the vulnerabilities into the process for approving next-generation devices.

Future Pulse spoke with Fu about the ongoing threats. The interview has been condensed for length and clarity.

What are the biggest cyber threats now to medical devices?

I’m a little less concerned about the wily hackers because they’re more of a symptom of the design flaws that are baked in because of the absence of threat modeling. It’s so significant that FDA announced a new playbook for threat modeling medical devices, and that’s publicly available now for manufacturers to get out in front of it.

It’s a little too convenient to blame hackers when they break down an open front door. These are largely self-inflicted threats from a design standpoint. And the consequences are pretty clear. You can see ransomware-induced outages that do not just disrupt, but also prevent the safe and effective delivery of health care such as radiation therapies for cancer oncology. These consequences strike at the heart of what we do in safety and effectiveness, in particular the availability and the integrity of the therapies and diagnostics.

Have these threats gotten worse?

This particular threat is sort of a constant. But what we’re finding is that because of dependencies on computing technology, it becomes much more consequential.

What is the level of security preparedness overall in the medical device world?

Your mileage may vary, and you’re going to see a huge amount of variation of cybersecurity preparedness. It’s clear there's a long tail of manufacturers who need help in education on the cybersecurity front. And the attackers really aren’t going to cut any slack to someone who isn’t familiar with cybersecurity or engineering best practices. We’d like to see a much more universal point where patients can feel assured that there’s always appropriate cybersecurity.

Are there enough incentives for device makers to adequately emphasize cybersecurity?

The jury’s still out on that. I think we’re going to learn a lot during this fiscal year. For instance, there’s the presidential executive order on improving the nation’s cybersecurity ([issued in May]). I think we’ll begin to see some of those outcomes and then learn, are these benefits strong enough for reasonable cybersecurity or do we need to go further? But I should be clear: mMedical device security is not an option, it’s not a checkbox, it’s not an add-on. And it does require deliberate design choices that begin at the very earliest stages of manufacturing.

What should the future look like, and how different is that from the track we’re on?

In 10 years, I would really like to see a future that is no longer about hyperventilating reaction. It’s rather more about calm preparation. The good old dictum a stitch in time saves nine is very appropriate here because we know what decisions need to be made. One thing the community as a whole needs to work harder on is attracting new talent to the field of what’s become known as operational technology cybersecurity. Wouldn’t it be great if graduating students helped with public health rather than just more quickly sharing photographs of desserts?

Welcome back to Future Pulse, where we explore the convergence of health care and technology. Share your news and feedback: @dariustahir, @ali_lev, @abettel, @samsabin923, @_BenLeonard_.

A message from Genentech:

Innovation moves fast, which is why every five years, industry and government come together to reauthorize the Prescription Drug User Fee Agreement (PDUFA). The next iteration – PDUFA VII – is designed to support the FDA in navigating advances in gene and cell therapies, real-world evidence-based approaches and cloud-based technologies. Learn more about what is at stake for patients and Genentech’s role in the negotiation.

Karin Johnson @drsleepykarin “In general I’m all for multitasking but a doctor appointment is a doctor appointment whether it is virtual or not. Plan to be ready, present and NOT driving. I witnessed one pedestrian accident this AM, don’t want to be any part of another. #telehealth #respect #drivesafe”

CRITICAL CATEGORIES: The unpredictable way Covid-19 progresses in critically ill patients is leading researchers to try to better identify particular groups in ICUs at the highest risk of poor outcomes and the clinical characteristics each group shares.

Researchers at Mount Sinai Health System in New York City scoured the electronic health records of more than a thousand patients within the first 24 hours after being admitted. They then used machine learning to discern trends by the type of care needed, survival rates and factors like the need for help breathing.

The team arrived at four categories : 1) Those who had unusual vital signs but required less invasive interventions within the first 24 hours and were the likeliest to survive, 2) Younger patients who were more likely to be Black, have fewer ailments, and not need mechanical ventilation and who were the likeliest to leave the hospital within 30 days, 3) Predominantly older, mostly male patients who had the highest frequency of shock at admission and whose conditions deteriorated in the first 24 hours, and 4) Patients, which included a large proportion of Latinos, who had acute respiratory distress and an “almost universal” need for mechanical ventilation.

Alexander Koerner/Getty Images

These categories could help providers better target care for patients.

“We still have a limited understanding of effective clinical care for critically ill patients with Covid-19,” said Wonsuk Oh, a postdoctoral fellow at Mount Sinai’s school of medicine. “[The findings] ultimately facilitate personalized clinical care of patients with an informed decision.”

However, the findings have limitations. The data was based on patients admitted between March and December 2020 before vaccines became widely available in the United States.

A message from Genentech:

President Joe Biden’s pick to lead the Food and Drug Administration said Tuesday the agency needs to be “much more active” in combating online medical misinformation and getting consumers the facts.

“If I am confirmed, I’m going to be very aggressive in this area … because one could argue that it is killing more people than any particular disease right now,” Robert Califf told the Senate HELP Committee during a confirmation hearing.

Califf — who headed the FDA late in the Obama administration — has substantial health-tech credibility, most recently leading medical strategy and policy at Google’s parent company, Alphabet. Indeed, Alphabet’s Verily unit has two FDA-cleared medical devices;, both are watches that can be used in research studies.

Getty

Califf suggested he’d strike a balance between patient safety and the need to promote innovation if confirmed.

“Safety is an issue here just like everywhere else,” Califf said. “On the other hand, if you are too heavy-handed in the regulation, you’re impeding a field where essentially, with traditional devices, you make a change and you go all the way back to the manufacturing plant. With software, you just update the code much like we’re all used to doing with our iPhone. There’s a spectrum here.”

The HELP panel will vote on advancing the nomination in January. Califf is expected to be confirmed by the full Senate.

MICROSOFT-NUANCE DEAL RAISES FLAG: The U.K.’s Competition and Markets Authority said this week it’s examining whether Microsoft’s $19.7 billion acquisition of Nuance Communications would reduce competition in that country — the latest sign of regulators’ willingness to confront Big Tech.

The companies announced the agreement in April when Microsoft launched a $56-a-share offer for Nuance, which sells voice-based AI that’s widely used by doctors and call centers that want to automate note-taking.

Speech-to-text services are seen as key to reducing clinician burnout from burdensome documentation requirements for billing and quality measures. It could also translate into plain English the acronyms and medical jargon doctors and nurses often leave in records.

But critics have focused on the way the deal could fortify Microsoft’s position offering cloud-based services to the health care marketplace. The company declined to comment on the U.K. authority’s announcement.

600: The number of patient safety reports logged since this spring in connection with the VA’s $16 billion digital health overhaul.

1,276: The median commercial price in dollars for a leg joint MRI, per researchers from Johns Hopkins and Michigan State universities.

200,000: The low end of the U.S. death toll from Covid-19 since vaccines became widely available last spring, according to figures compiled by Johns Hopkins.

35,000,000: The dollar sum the Department of Health and Human Services is making available in grants for family planning services via telehealth.

A World Health Organization official leading its “pandemic intelligence hub” discusses with Bloomberg the institution’s plans on data and artificial intelligence.

CyberScoop reveals an error that could funnel to third parties the information of patients who use the telehealth app Doxy.me.

And The New York Times profiles how elderly patients use telemedicine.

A message from Genentech:

Renegotiation of the Prescription Drug User Fee Agreement (PDUFA) is an exciting opportunity for industry, FDA and policymakers to come together to recalibrate, accommodate innovations and adapt to wider health care trends. The seventh iteration – PDUFA VII – will enable us to maintain and enhance a science-driven regulatory infrastructure at the FDA that can keep pace with the development of complex innovative therapies entering the review pipeline and ensure that patients will continue to have access to life-changing medicines.

At Genentech, we’re focused on defending against policies that could harm patient access and stifle innovation, for example by fighting to preserve the accelerated approval pathway and maintaining FDA’s evidence-based standards for approvals. From gene and cell therapies to real-world evidence-based approaches, read more about the policies Genentech is advocating for in the next iteration of the agreement.

Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to .