FDA tackles postmarket medical device cybersecurity

By Kathryn Brown, DePaul University College of Law, WK Legal Scholar

Increasingly, medical devices may be accessed via wireless technologies which transform health care by improving patient mobility, enabling the remote programing of devices, and allowing remote access to and monitoring of patient data. Despite these apparent benefits, medical devices pose serious safety and security risks to patients and health care entities. Like other computer systems, medical devices are vulnerable to security breaches. The FDA stated, “[t]he failure to maintain the cybersecurity of medical devices can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of connected devices or networks to security threats.” This vulnerability has led to many concerns about potential harms that could arise via medical devices. For example, according to ABC News, Thomas Lewis, Partner-in-Charge at LBMC Information Security, stated that “[a] hacker attempting to get patient data could accidentally knock out medical devices connected to the Wi-Fi network, such as an MRI or X-ray machine.” Additionally, as an extreme example of the harm that device hackers could cause, The Washington Post reported that Former Vice-President Dick Cheney chose to disable the wireless function of his heart implant in fear that it could be hacked in an assassination attempt.

In response to growing concerns about the cybersecurity vulnerability of medical devices, the FDA issued a draft guidance entitled “Postmarket Management of Cybersecurity of Medical Devices.” This new draft guidance builds on the FDA’s prior cybersecurity guidance issued in October 2014, which encouraged medical device manufacturers to develop and incorporate cybersecurity controls into medical devices at the premarket design stage. The new draft guidance outlines recommendations to aid medical device manufacturers in monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that have already entered the market. This guidance applies to medical devices that contain software or programmable logic, as well as software that qualifies as a medical device. It does not apply to experimental or investigational medical devices.

Overview of the Draft Guidance

The draft guidance provides overarching recommendations on assessing cybersecurity risk, as well as manufacturers’ remediation and reporting obligations. In order to determine whether their device vulnerability is controlled, the FDA encourages manufacturers to “define and document their process for objectively assessing the cybersecurity risk for their devices.” This process should be tailored to the device as well as the clinical performance and situation. The FDA’s draft guidance indicates that “critical components” of a cybersecurity surveillance program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

The FDA further advises manufacturers to exercise “good cyber hygiene” through routine device maintenance and the timely implementation of a comprehensive risk management program to mitigate cybersecurity risks and vulnerabilities. Manufacturers are reminded that they must report to the FDA any device vulnerability that poses an uncontrolled risk. As an additional security measure, the FDA suggests implementing the 2014 National Institute of Standards and Technology (NIST) Voluntary Framework for Improving Critical Infrastructure Cybersecurity.

Impact of the Draft Guidance

The FDA draft guidance is neither final nor codified; however, attorney Ronald Lee, as well as several of his colleagues, believe that the FDA has “essentially made cybersecurity vulnerability management throughout the lifecycle of medical devices a long-term and likely permanent aspect of regulatory compliance.” The proactive recommendations for device manufacturers demonstrate that medical device cybersecurity is a priority for the FDA. However, medical devices and cybersecurity threats are continually evolving; therefore, postmarket controls will not entirely eliminate these risks. Device manufacturers need to implement comprehensive cybersecurity risk management programs to address any device security vulnerabilities. The FDA accepted comments on the draft guidance until April 21, 2016, and will consider the comments before drafting the final version of the guidance. Whether or not these recommendations are codified, device manufacturers ought to be carefully assessing and evaluating the potential vulnerabilities that may appear throughout a device’s lifecycle, so as to better protect patient safety.

Kathryn Brown is pursuing her law degree from DePaul University College of Law. She completed her undergraduate degree summa cum laude from St. Ambrose University with a Bachelor’s Degree in Political Science and a concentration in International Politics. Kathryn is a Staffer on the DePaul Law Review, Fellow and Vice-Director of Programming for the Jaharis Health Law Institute, and a General Staff Writer for the Institute’s E-Pulse newsletter.

We need a bigger boat: Whaling, the latest threat to cybersecurity

By Lana Smith, DePaul University College of Law, WK Legal Scholar

In the early 2000’s a phenomenon known as “phishing” began. This neologism received its name from the similarities it has with the leisure activity, since both use something as bait in order to catch a victim. Phishing, though, exists in digital form, and is the attempt to acquire personal information from internet users by “phishermen” being disguised as a trustworthy entity, such as the user’s bank or credit card company, according to the Handbook of Information and Communication Security (2010). The information collected from users who take the bait can then be used to commit crimes such as fraud and theft of the user’s funds or identity. Due to the dramatic increase in phishing throughout the years, the Federal Trade Commission created the Anti-Phishing Working Group to slow the increase of phishing emails, websites, and popups. However, the Group may need a bigger net in order to catch the latest trend in cyber security attacks.

Unlike phishing that targets everyday Internet users, “whaling” or “spear phishing” is designed to target upper-level managers in private companies. Hackers who use whaling are attempting to deceive the executives in order receive confidential company information. Whaling can take a wide range of forms, such as an email with its contents specifically crafted to target the person’s role in the company, a request from the CEO to deposit funds in a particular bank account, and a complex legal subpoena.

Regrettably, many executives are falling for the whaling scams. In 2008, a subpoena created to look as if it were from the Federal Bureau of Investigation (FBI) was sent to 20,000 corporate CEOs, 2,000 of which clicked the whaling link in the email. This link recorded the CEOs passwords and forwarded them to whaling “phishermen” who hacked into sensitive company materials. In a response to whaling attacks, the FBI created the Internet Crime Complaint Center (“C3”) in late 2013. C3 reported in the following year more than 7,000 U.S. companies had been affected by whaling alone, equating to more than $740 million dollars in losses.

The health care industry has also felt the turbulent wake from whaling attacks. In May 2015, the Ponemon Institute published the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. It found that health care organizations’ and their business associates’ total data breach costs were approximately $6 billion. The study showed more than 90 percent of represented health care organizations had a data breach, with 40 percent of those having more than five breaches in the past two years. Half of the organizations had little to no confidence in their ability to detect all patient data loss or theft, and with the average cost of a data breach exceeding $1 million, health care organizations and their business associates should seek the proper measures to help abate whaling.

To complicate matters, a recent decision in the Seventh Circuit, Remijas v. Neiman Marcus Group, reevaluated the “substantial risk” standard for Article III. Neiman Marcus released a statement indicating 350,000 of its customers’ credit cards were possibly exposed to malware, and 9,200 cards of this group had in fact been used fraudulently. The court held that 2.5 percent of compromised credit card holders is sufficient to show a substantial risk to an entire universe of credit card holders with breached data. While Neiman Marcus argued the possibility of a future injury was too speculative to create Article III standing, the Seventh Circuit concluded the harm was “certainly impending” rather than possible. If followed in other circuits, this decision may open the door for claimants to file suit for future harm if a data breach has occurred in a health care organization or through a business associate.

With 88 and 90 percent of breaches occurring from whaling in health care organizations and their business associates, respectively, each should review their procedures for protecting against whaling and explore forms for the transference of risk. Beyond indemnification clauses in contracts, health care organizations and business associates should consider purchasing cyber risk insurance to eliminate or reduce their exposure to Remijas-type future damage claims. Most policies should contain first-party protections, which satisfy costs for providing notifications and cover some amount of credit monitoring and/or identity theft protection. Further, most policies provide insurance to defend and satisfy the liability created when claimants pursue the health care entity. Beyond the protections through cyber risk insurance, health care organizations and business associates should also contract with monitoring services to further increase their protections against whaling and other common cyberattacks. If properly prepared, the health care industry may be able to better navigate the waters of large whaling and phishing attacks.

Lana Smith is currently pursuing her law degree and health law certificate from DePaul University College of Law. She completed her undergraduate degree from the University of Michigan in International Studies – Comparative Cultures & Identities. Lana is the Co-Director of Outreach & Recruitment of the Jaharis Health Law Institute Student Board, a staff writer for the Institute’s online publication, the E-Pulse, and is an active Health Law Fellow.

Wolters Kluwer News: Publication opportunity for current law students

The Wolters Kluwer Legal Scholar program, in its third year, allows current law students to compete for the chance to have their work published in a Wolters Kluwer publication. Wolters Kluwer will accept submissions through Friday, April 1, 2016.

One submission per category may be submitted by any student currently enrolled in an ABA-accredited law school. Categories for submission are:

  • Health law (including Medicare, Medicaid, life sciences, and health reform)
  • Cybersecurity (including banking and financial privacy, securities, health care, and insurance)
  • Products liability and consumer safety
  • Employment law (including wage/hour, labor, and discrimination)

Depending on the number of entries, one to two winners per category will be selected and published in a Wolters Kluwer publication, to be determined based on the submission’s topic.

Winners will be notified by April 22, 2016. The winning submissions will be featured in a Wolters Kluwer publication the week of April 25, 2016, along with a biographical paragraph about the author.

For for information and full contest rules, visit Legal Scholars.

No Claim Left Behind? Jurisdiction and the Public Disclosure Bar

By Vaughn Bentley, DePaul University College of Law

The False Claims Act (FCA) is a powerful enforcement tool for fraudulent Medicare payments. Under the FCA, any person who submits a false claim for payment by the U.S. government can be liable for three times the amount claimed. One of the few defenses available is the “public disclosure bar” enacted in 1986. Recently, courts have been making the public disclosure bar defense more expansive.

Originally the public disclosure bar was considered a jurisdictional defense. Any claim that fit within the requirements was considered a jurisdictional defect and was dismissed by the court. The law was amended in 2010, removing any reference to “jurisdiction.” After the amendment, the public disclosure bar was still available as a defense, but was no longer a jurisdictional defect. Courts have struggled since the amendment with claims submitted before the 2010 amendment, but which were within qui tam actions brought after.

The Southern District of Florida recently struggled with this very issue in U.S. ex rel. Wilhelm v. Molina Healthcare of Florida, Inc. In Molina, a relator filed a qui tam action in 2012, which contained publicly available information. The defendant, a large health system in Florida, filed a motion to dismiss the claim for lack of jurisdiction. The relator countered that the motion was improper, as the 2010 amendment eliminated the jurisdictional element of the public disclosure bar. The court held the correct way to evaluate this situation is to consider the date the claim was made, not the date the suit was filed. Since the claim in Molina was from before 2010, the court held they lacked jurisdiction to hear the claim unless the relator qualified as an original source.

This amended public disclosure bar can increase litigation costs associated with FCA litigation. When the defense was jurisdictional, it would be dealt with at the outset of litigation through a motion to dismiss. The parties only needed to exchange targeted discovery to determine whether the public disclosure bar was applicable. Now, defendants must wait for a summary judgment motion to determine whether the public disclosure bar applies. This could increase the number of settlements, as the discovery process may be too expensive.

The amended public disclosure bar, however, may be unconstitutional. The language of the amended act states “[t]he court shall dismiss an action or claim under this section, unless opposed by the government,” if the allegations have been publicly disclosed and the relator is not an original source. The clear language of this statute suggests a defendant can still move to dismiss a case, but the government is able to veto the defense. Some believe this is a violation of the separation of powers giving the executive branch control over the judiciary.

Molina was not the first case to strengthen the public disclosure bar defense. In U.S. ex rel. Heath v. Wisconsin Bell, Inc., the Seventh Circuit Court of Appeals held the public disclosure bar only applies to claims based solely on public information. This means relators who gain use some original information can survive the public disclosure bar. Wisconsin Bell is not the first time the Seventh Circuit has taken an expansive view on the public disclosure bar. This, however, is the minority view. The majority view is that once information has been publicly disclosed, the defense will be triggered.

The public disclosure bar remains a contentious area for FCA litigation. At this point it is unclear whether more courts will adopt the reasoning of the Molina court, create a new rule, or find the amendment unconstitutional. The current circuit split regarding how much information must be public may prompt the Supreme Court to step in as well. At this point, only one thing is clear: litigation over the public disclosure bar is far from over.

Vaughn Bentley is a joint J.D. and LL.M. in Health Law candidate at DePaul University College of Law, and is expected to graduate in May of 2016. Vaughn attended State University of New York, College at Oswego and is the Jaharis Health Law Institute Director of Marketing, Editor-in-Chief the Jaharis Health Law Institute E-Pulse, and has been published in the DePaul Journal of Health Care Law. Vaughn would like to focus his career in governmental and litigation work after graduation.