With the increasing use of sensors, automation, and connectivity in medical devices, health applications, and biomedical information and instrumentation systems, innovators should consider how to respond to claims of vulnerabilities in their products and services. Read the latest contribution from a legal team specializing in federal regulatory and litigation matters.
With the increasing use of sensors, automation, and connectivity in medical devices, health applications, and biomedical information and instrumentation systems, innovators should consider how to respond to claims of vulnerabilities in their products and services. Claims can come from internal personnel, customers, or third-party researchers. “Vulnerability disclosure programs” – sometimes called “bug bounties” – are popular in the cybersecurity community. But for small companies and innovators, they present risks and complications. This article lays out the debate and highlights complexities that biomedical innovators should consider as they approach cyber risk management, including the post-market management of vulnerabilities.
Connected Health Technology is a Target
As part of the nation’s critical infrastructure, the healthcare sector is a target for cyber attacks and data theft. In 2017, 140 hacking-related data breaches were reported to the Department of Health and Human Services. While ransomware attacks dominated 2017, experts predict cybercriminals will exploit IoT devices in 2018 – particularly at smaller healthcare institutions. Advanced tools have lowered the cost for cybercriminals to target smaller healthcare organizations, and this trend is expected to increase through 2019. Vulnerabilities in can come from many sources, and can affect myriad health care systems and devices.
IoT is an attractive target. Healthcare providers depend on over 100 million connected medical devices to deliver cost-effective and lifesaving treatment to patients, and this number is expected to double over the next several years. Research shows that a substantial portion of healthcare systems use outdated technology, which makes them vulnerable. The diversity of IoT devices, limited endpoint security, and use of legacy software make these systems challenging to secure. Because the market for connected medical devices is forecast to expand by 3% per year until 2022, healthcare information technology networks will be expected to address cybersecurity. Given the security threats to device technology, bug bounty programs have some appeal.
Controversial Vulnerability Disclosure Programs “Crowd Source” Security
As devices become connected and flaws are potentially subject to exploitation, companies can promote early detection and patching by encouraging ethical hacking of devices and services and working with researchers to responsibly address vulnerabilities.
Vulnerability disclosure programs create incentives to identify and communicate technical weaknesses to a manufacturer or seller. But, researchers that hack systems risk violating various laws, including the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the Digital Millennium Copyright Act, 17 U.S.C. § 1201. Vulnerability disclosure programs aim to clarify the rules of engagement by providing authorization to test some or all of a website, product, or service.
Some tech giants, government agencies, and device developers have experimented with vulnerability disclosure programs. For example, Samsung, Apple, United Airlines, Microsoft, and Google have invested in bug bounty programs. Similarly, the U.S. Department of Defense recently sponsored the Hack the Air Force program, which uncovered more than 207 patchable security flaws in under a month.
Disclosure Programs Must be Carefully Managed
Interest in vulnerability disclosure spurred government action, but efforts gloss over potential dangers. In January 2017, the National Telecommunications and Information Administration published guidance, including a template, Coordinated Vulnerability Disclosures. Recently, the National Institute of Standards and Technology included vulnerability disclosure in its proposed update to the Framework for Improving Critical Infrastructure Cybersecurity, which it intends to inform the internet of things (IoT). Legislative proposals would require those selling any connected device to the government to have a program. Innovators should consider the complexities of these programs and how they could affect vendors, manufacturers, and innovators in the health care software, device, and services market.
First, consenting to a hack of healthcare infrastructure and systems involves risk. Security researchers may exceed the scope of their authority or release findings to unaffiliated organizations. Limited permission to hack may enable researchers to access protected health information (“PHI”), which is restricted from unauthorized disclosure under federal law. Healthcare organizations that operate as covered entities or business associates may be liable for breaches of PHI if bug bounty programs malfunction. Entities in the health sector must exercise caution when developing a vulnerability disclosure program.
Second, vulnerability disclosure programs can require companies to rethink their security strategies. A program may require a company to adjust from a model of scheduled maintenance and risk assessment to continuous interruption and constant patching. Companies facing a new flaw may need to shift priorities. A failure to timely address reported vulnerabilities can result in researchers publicly disclosing and seeking to profit off the company’s mishandling of the security flaw.
Third, vulnerability disclosure programs require infrastructure, time, and resources. Analyzing and fixing vulnerabilities is not always easy, and can require immediate attention. Healthcare and medical sector innovators should assess their capabilities, security processes, and staffing needs to determine whether a program is feasible. If an organization or inventor lacks the resources to develop its own program, it may consider outsourcing vulnerability management to an established bug bounty company.
Finally, vulnerability disclosure programs may trigger legal obligations. Will you have to notify business partners, customers, regulators, and the public of security flaws? A company that learns of a claimed vulnerability may turn to its vendor or the innovator for help – be it analysis or a needed patch. All parts of the medical device and system supply chain should consider these issues.
Medical Innovators Should Understand These Cyber Trends
Given the sensitivity of healthcare data and the safety implications associated with hacked devices, the medical sector is looking to strengthen cybersecurity. This requires care throughout the supply chain and lifecycle, and attention to “security by design” for all participants in the ecosystem of healthy IoT and data management.
As interest intensifies in device security, software lifecycle, supply chain issues, and government procurement of connected devices, expect the focus on security vulnerabilities and management to grow.
 See FDA, Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff (Dec. 28, 2016), available at https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf.
 Bill Siwicki, Cybercriminals Turning to Smaller Providers and Health IoT in 2018, Healthcare IT News (Jan. 5, 2018), http://www.healthcareitnews.com/news/cybercriminals-turning-smaller-providers-and-health-iot-2018.
 Center alerts health care field to new cyber vulnerabilities (Jan. 4, 2018) https://www.aha.org/news/headline/2018-01-04-center-alerts-health-care-field-new-cyber-vulnerabilities (noting that the National Health Information Sharing and Analysis Center’s Threat Intelligence Committee notified the industry that medical devices may rely on processors that could be vulnerable to Meltdown and Spectre)
 Fred Pennic, Medigate Lands $5.3M to Help Secure Connected Medical Devices From Cyberattacks, HIT Consultant (Nov. 15, 2017), http://hitconsultant.net/2017/11/15/medidate-connected-medical-device-security-platform/.
 David Nickelson, Medical Systems Hacks Are Scary, but Medical Device Hacks Could be Even Worse, Harvard Bus. Rev. (May 15, 2017), https://hbr.org/2017/05/medical-systems-hacks-are-scary-but-medical-device-hacks-could-be-even-worse.
 In 2016, more than one million internet-connected devices were hijacked to create the Mirai botnet. Mirai, a type of malware, works by exploiting weak security measures in connected devices to infect and conscript them into a botnet. The botnet then operates by disrupting internet service and extorting companies. Lily Hay Newman, The Botnet that Broke the Internet Isn’t Going Away, Wired (Nov. 9, 2016, 7:00 AM), https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/. Researchers warn that hackers could eventually take the down the Internet with a botnet worse than Mirai. See Anthony Cuthbertson, Hackers Could Take Down the Internet with Million-Device Botnet Worse Than Mirai, Newsweek (Oct. 20, 2017, 8:36 AM), http://www.newsweek.com/hackers-take-down-internet-million-device-botnet-mirai-689255.
 Joe Uchill, ‘Hack the Air Force’ Challenge Most Successful Military Bug Bounty Yet, The Hill (Aug. 10, 2017, 9:15 AM), http://thehill.com/policy/cybersecurity/346016-hack-the-air-force-challenge-most-successful-military-bug-bounty-yet.
 Nat’l Inst. Telecommunications & Info. Admin., “Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1 (Dec. 15, 2016), https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_early_stage_template.pdf; see Angela Simpson, Improving Cybersecurity Through Enhanced Vulnerability Disclosure, NTIA (Dec. 15, 2016), https://www.ntia.doc.gov/blog/2016/improving-cybersecurity-through-enhanced-vulnerability-disclosure.
 Nat’l Inst. Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 Draft 2 (Dec. 5, 2017), available at https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf.
 See, e.g., IoT Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. (1st Sess. 2017).
About Wiley Rein
Wiley Rein LLP is a full service law firm based in Washington, D.C., specializing in federal regulatory and litigation matters. Megan Brown is a partner and lead in the cybersecurity and technology, media and telecom practices, crossing technology disciplines to advise innovators and multinational companies. Bethany Corbin is an associate supporting cyber, privacy and health sector innovation.