FDA tackles postmarket medical device cybersecurity

By Kathryn Brown, DePaul University College of Law, WK Legal Scholar

Increasingly, medical devices may be accessed via wireless technologies which transform health care by improving patient mobility, enabling the remote programing of devices, and allowing remote access to and monitoring of patient data. Despite these apparent benefits, medical devices pose serious safety and security risks to patients and health care entities. Like other computer systems, medical devices are vulnerable to security breaches. The FDA stated, “[t]he failure to maintain the cybersecurity of medical devices can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of connected devices or networks to security threats.” This vulnerability has led to many concerns about potential harms that could arise via medical devices. For example, according to ABC News, Thomas Lewis, Partner-in-Charge at LBMC Information Security, stated that “[a] hacker attempting to get patient data could accidentally knock out medical devices connected to the Wi-Fi network, such as an MRI or X-ray machine.” Additionally, as an extreme example of the harm that device hackers could cause, The Washington Post reported that Former Vice-President Dick Cheney chose to disable the wireless function of his heart implant in fear that it could be hacked in an assassination attempt.

In response to growing concerns about the cybersecurity vulnerability of medical devices, the FDA issued a draft guidance entitled “Postmarket Management of Cybersecurity of Medical Devices.” This new draft guidance builds on the FDA’s prior cybersecurity guidance issued in October 2014, which encouraged medical device manufacturers to develop and incorporate cybersecurity controls into medical devices at the premarket design stage. The new draft guidance outlines recommendations to aid medical device manufacturers in monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that have already entered the market. This guidance applies to medical devices that contain software or programmable logic, as well as software that qualifies as a medical device. It does not apply to experimental or investigational medical devices.

Overview of the Draft Guidance

The draft guidance provides overarching recommendations on assessing cybersecurity risk, as well as manufacturers’ remediation and reporting obligations. In order to determine whether their device vulnerability is controlled, the FDA encourages manufacturers to “define and document their process for objectively assessing the cybersecurity risk for their devices.” This process should be tailored to the device as well as the clinical performance and situation. The FDA’s draft guidance indicates that “critical components” of a cybersecurity surveillance program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

The FDA further advises manufacturers to exercise “good cyber hygiene” through routine device maintenance and the timely implementation of a comprehensive risk management program to mitigate cybersecurity risks and vulnerabilities. Manufacturers are reminded that they must report to the FDA any device vulnerability that poses an uncontrolled risk. As an additional security measure, the FDA suggests implementing the 2014 National Institute of Standards and Technology (NIST) Voluntary Framework for Improving Critical Infrastructure Cybersecurity.

Impact of the Draft Guidance

The FDA draft guidance is neither final nor codified; however, attorney Ronald Lee, as well as several of his colleagues, believe that the FDA has “essentially made cybersecurity vulnerability management throughout the lifecycle of medical devices a long-term and likely permanent aspect of regulatory compliance.” The proactive recommendations for device manufacturers demonstrate that medical device cybersecurity is a priority for the FDA. However, medical devices and cybersecurity threats are continually evolving; therefore, postmarket controls will not entirely eliminate these risks. Device manufacturers need to implement comprehensive cybersecurity risk management programs to address any device security vulnerabilities. The FDA accepted comments on the draft guidance until April 21, 2016, and will consider the comments before drafting the final version of the guidance. Whether or not these recommendations are codified, device manufacturers ought to be carefully assessing and evaluating the potential vulnerabilities that may appear throughout a device’s lifecycle, so as to better protect patient safety.

Kathryn Brown is pursuing her law degree from DePaul University College of Law. She completed her undergraduate degree summa cum laude from St. Ambrose University with a Bachelor’s Degree in Political Science and a concentration in International Politics. Kathryn is a Staffer on the DePaul Law Review, Fellow and Vice-Director of Programming for the Jaharis Health Law Institute, and a General Staff Writer for the Institute’s E-Pulse newsletter.

We need a bigger boat: Whaling, the latest threat to cybersecurity

By Lana Smith, DePaul University College of Law, WK Legal Scholar

In the early 2000’s a phenomenon known as “phishing” began. This neologism received its name from the similarities it has with the leisure activity, since both use something as bait in order to catch a victim. Phishing, though, exists in digital form, and is the attempt to acquire personal information from internet users by “phishermen” being disguised as a trustworthy entity, such as the user’s bank or credit card company, according to the Handbook of Information and Communication Security (2010). The information collected from users who take the bait can then be used to commit crimes such as fraud and theft of the user’s funds or identity. Due to the dramatic increase in phishing throughout the years, the Federal Trade Commission created the Anti-Phishing Working Group to slow the increase of phishing emails, websites, and popups. However, the Group may need a bigger net in order to catch the latest trend in cyber security attacks.

Unlike phishing that targets everyday Internet users, “whaling” or “spear phishing” is designed to target upper-level managers in private companies. Hackers who use whaling are attempting to deceive the executives in order receive confidential company information. Whaling can take a wide range of forms, such as an email with its contents specifically crafted to target the person’s role in the company, a request from the CEO to deposit funds in a particular bank account, and a complex legal subpoena.

Regrettably, many executives are falling for the whaling scams. In 2008, a subpoena created to look as if it were from the Federal Bureau of Investigation (FBI) was sent to 20,000 corporate CEOs, 2,000 of which clicked the whaling link in the email. This link recorded the CEOs passwords and forwarded them to whaling “phishermen” who hacked into sensitive company materials. In a response to whaling attacks, the FBI created the Internet Crime Complaint Center (“C3”) in late 2013. C3 reported in the following year more than 7,000 U.S. companies had been affected by whaling alone, equating to more than $740 million dollars in losses.

The health care industry has also felt the turbulent wake from whaling attacks. In May 2015, the Ponemon Institute published the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. It found that health care organizations’ and their business associates’ total data breach costs were approximately $6 billion. The study showed more than 90 percent of represented health care organizations had a data breach, with 40 percent of those having more than five breaches in the past two years. Half of the organizations had little to no confidence in their ability to detect all patient data loss or theft, and with the average cost of a data breach exceeding $1 million, health care organizations and their business associates should seek the proper measures to help abate whaling.

To complicate matters, a recent decision in the Seventh Circuit, Remijas v. Neiman Marcus Group, reevaluated the “substantial risk” standard for Article III. Neiman Marcus released a statement indicating 350,000 of its customers’ credit cards were possibly exposed to malware, and 9,200 cards of this group had in fact been used fraudulently. The court held that 2.5 percent of compromised credit card holders is sufficient to show a substantial risk to an entire universe of credit card holders with breached data. While Neiman Marcus argued the possibility of a future injury was too speculative to create Article III standing, the Seventh Circuit concluded the harm was “certainly impending” rather than possible. If followed in other circuits, this decision may open the door for claimants to file suit for future harm if a data breach has occurred in a health care organization or through a business associate.

With 88 and 90 percent of breaches occurring from whaling in health care organizations and their business associates, respectively, each should review their procedures for protecting against whaling and explore forms for the transference of risk. Beyond indemnification clauses in contracts, health care organizations and business associates should consider purchasing cyber risk insurance to eliminate or reduce their exposure to Remijas-type future damage claims. Most policies should contain first-party protections, which satisfy costs for providing notifications and cover some amount of credit monitoring and/or identity theft protection. Further, most policies provide insurance to defend and satisfy the liability created when claimants pursue the health care entity. Beyond the protections through cyber risk insurance, health care organizations and business associates should also contract with monitoring services to further increase their protections against whaling and other common cyberattacks. If properly prepared, the health care industry may be able to better navigate the waters of large whaling and phishing attacks.

Lana Smith is currently pursuing her law degree and health law certificate from DePaul University College of Law. She completed her undergraduate degree from the University of Michigan in International Studies – Comparative Cultures & Identities. Lana is the Co-Director of Outreach & Recruitment of the Jaharis Health Law Institute Student Board, a staff writer for the Institute’s online publication, the E-Pulse, and is an active Health Law Fellow.

No Claim Left Behind? Jurisdiction and the Public Disclosure Bar

By Vaughn Bentley, DePaul University College of Law

The False Claims Act (FCA) is a powerful enforcement tool for fraudulent Medicare payments. Under the FCA, any person who submits a false claim for payment by the U.S. government can be liable for three times the amount claimed. One of the few defenses available is the “public disclosure bar” enacted in 1986. Recently, courts have been making the public disclosure bar defense more expansive.

Originally the public disclosure bar was considered a jurisdictional defense. Any claim that fit within the requirements was considered a jurisdictional defect and was dismissed by the court. The law was amended in 2010, removing any reference to “jurisdiction.” After the amendment, the public disclosure bar was still available as a defense, but was no longer a jurisdictional defect. Courts have struggled since the amendment with claims submitted before the 2010 amendment, but which were within qui tam actions brought after.

The Southern District of Florida recently struggled with this very issue in U.S. ex rel. Wilhelm v. Molina Healthcare of Florida, Inc. In Molina, a relator filed a qui tam action in 2012, which contained publicly available information. The defendant, a large health system in Florida, filed a motion to dismiss the claim for lack of jurisdiction. The relator countered that the motion was improper, as the 2010 amendment eliminated the jurisdictional element of the public disclosure bar. The court held the correct way to evaluate this situation is to consider the date the claim was made, not the date the suit was filed. Since the claim in Molina was from before 2010, the court held they lacked jurisdiction to hear the claim unless the relator qualified as an original source.

This amended public disclosure bar can increase litigation costs associated with FCA litigation. When the defense was jurisdictional, it would be dealt with at the outset of litigation through a motion to dismiss. The parties only needed to exchange targeted discovery to determine whether the public disclosure bar was applicable. Now, defendants must wait for a summary judgment motion to determine whether the public disclosure bar applies. This could increase the number of settlements, as the discovery process may be too expensive.

The amended public disclosure bar, however, may be unconstitutional. The language of the amended act states “[t]he court shall dismiss an action or claim under this section, unless opposed by the government,” if the allegations have been publicly disclosed and the relator is not an original source. The clear language of this statute suggests a defendant can still move to dismiss a case, but the government is able to veto the defense. Some believe this is a violation of the separation of powers giving the executive branch control over the judiciary.

Molina was not the first case to strengthen the public disclosure bar defense. In U.S. ex rel. Heath v. Wisconsin Bell, Inc., the Seventh Circuit Court of Appeals held the public disclosure bar only applies to claims based solely on public information. This means relators who gain use some original information can survive the public disclosure bar. Wisconsin Bell is not the first time the Seventh Circuit has taken an expansive view on the public disclosure bar. This, however, is the minority view. The majority view is that once information has been publicly disclosed, the defense will be triggered.

The public disclosure bar remains a contentious area for FCA litigation. At this point it is unclear whether more courts will adopt the reasoning of the Molina court, create a new rule, or find the amendment unconstitutional. The current circuit split regarding how much information must be public may prompt the Supreme Court to step in as well. At this point, only one thing is clear: litigation over the public disclosure bar is far from over.

Vaughn Bentley is a joint J.D. and LL.M. in Health Law candidate at DePaul University College of Law, and is expected to graduate in May of 2016. Vaughn attended State University of New York, College at Oswego and is the Jaharis Health Law Institute Director of Marketing, Editor-in-Chief the Jaharis Health Law Institute E-Pulse, and has been published in the DePaul Journal of Health Care Law. Vaughn would like to focus his career in governmental and litigation work after graduation.

Final Words: Medicare End-of-Life Counseling Coverage

By Kathryn Brown, DePaul University College of Law

Medicare recently announced that starting in 2016 advanced care planning will be covered including discussions that physicians have with their patients regarding the kind of care the patient wants to receive at the end of life. Advanced-care planning, also known as end-of-life counseling, may be legal, medical, practical, psychological, or spiritual in nature. It involves discussing the choices about what kind of help a person will want and need, as well as whether to receive care at home or in an institutional setting. End-of-life counseling often includes making legal decision about wills, advanced directives, and durable powers of attorney. These conversations are vital because a “good death” can have different meanings for different people. Patients commonly hope to have their end-of-life wishes followed, whatever they are, and being treated with respect while dying are common hopes.

While drafting the Affordable Care Act legislation, there were talks of reimbursing physicians for end-of-life counseling; however, the Affordable Care Act ultimately did not include such provision. The Proposed rule was published in July 2015 and received mix responses. One commentator, Betsy McCaughey, a Senior Fellow at the London Center for Policy Research, viewed the Proposed rule as enacting death panels. She stated, “[the rule is] being sold as ‘death with dignity,’ but it’s more like dying for dollars. Seniors are nudged to forego life-sustaining procedures and hospital care to go into hospice.” Others, however, praised the utility of such a rule. Joanne Kenen, a health care journalist, noted that, “with an aging population and growing public awareness that high-tech interventions are often futile at the end of life, doctors have encouraged private insurers to cover advanced-care conversations… Advanced-care doesn’t mean shunning aggressive care or specifying a ‘do not resuscitate’ order. People can also state in their care directives that they want ‘everything done.’” Despite mixed responses, some physicians already provide advanced care planning without compensation and some private insurers already cover advanced care planning.

When faced with end of life decisions, it is important to focus on living the highest possible quality of life. Dr. Diane Meier, Director of the Center to Advance Palliative Care Medicare, reminds that, “at the outset of a serious illness it’s very important to talk with patients and families about what they can expect what is the nature history of this disease course, what is the time frame.” Many individuals, however, do not have these conversations it seems. A recent poll by Kaiser Family Foundation found that about 9 out of 10 people believe doctors should be having end-of-life discussions with their patients; however, only 17 percent of the individuals polled had such conversations. Medicare, which insures 49 million elderly and disabled Americans, is in a prime position to solve this problem. Physicians previously may not have taken the time to have these important conversations because the conversations were not reimbursable. Now physicians are incentivized to take the initiative to discuss end-of-life care options and encourage beneficiaries to consider what kind of care they wish to receive at the end of their life.

These conversations are vital to patient-centered care and to carrying out a patients’ end of life wishes; however, physicians will need to do more than check a box that they had the conversation. Dr. Meier suggests that there should be documentation recording what was discussed and the patient’s wishes. Medicare will also need to implement metrics for measuring the quality and standards for the physician-patient conversations to ensure the conversations provide thoughtful advise and patients properly understand their options. Physicians will likely need education and training on the legal aspects of the end-of-life care decisions because these conversations will likely include the medical aspects of end-of-life care, including whether the individual wishes to die at home, as well as the patient’s legal options, such as creating an advance directive or durable power of attorney. Ultimately, these conversations should increase patient awareness about end-of-life care options and decrease confusion at the end of life because physicians will already know the patient’s wishes. The rule is the starting point for a health care system that will honor the goals and wishes of patients.

Kathryn Brown is a May 2017 J.D. candidate at DePaul University College of Law. Kathryn is a staffer on the DePaul Law Review, a fellow and vice-director of programming for the Jaharis Health Law Institute, and a general staff writer for the Institute’s online publication, E-Pulse. She graduated summa cum laude from St. Ambrose University in 2014 with a bachelor’s degree in political science and a concentration in international politics.