FDA ‘White Hat’ Hacking Tools May Combat Medical Misinformation

Dive Insight:

Medical device cybersecurity remains top of mind at FDA as healthcare organizations continue to face threats. A report out last month, for example, said the WannaCry malware that disrupted service at about 40 U.K. hospitals two years ago remains a threat and continues to attack healthcare companies.

The OIG audit of the NIH-led Precision Medicine Initiative project is the latest glimpse into the vulnerabilities challenging the healthcare system. OIG reviewed the information system general controls for a portion of the initiative’s All of Us study that involves a group of at least 1 million U.S. volunteers who are providing genetic data, biological samples and other health information.

The component of the study that OIG reviewed, called the Participant Technology Systems Center, awarded to Vibrent Health, didn’t have adequate controls to protect participants’ sensitive health data, OIG said in its report. The vulnerabilities could have allowed an attacker with limited technical knowledge to compromise the center’s systems.

The center also failed to enable encryption in its cloud storage and did not have procedures for remediating source code vulnerabilities and timely disabling of network access. The center remediated all of the problems identified.

OIG said it found no general control vulnerabilities in a second component of the project that it reviewed, the Data and Research Center, which was awarded to Vanderbilt University Medical Center.

FDA, in its 2018 Medical Device Safety Action Plan, outlined a number of initiatives to combat cyber threats including requiring manufacturers to build security updates and patch capabilities into products and creating procedures for swift, coordinated disclosure of medical device vulnerabilities.

How industry is handling device security was the subject of a recent congressional inquiry led by Sen. Mark Warner, D-Va., vice chairman of the Senate Intelligence Committee. Manufacturers, for their part, have focused on building risk management into devices, information sharing, and the development of consensus standards, among other efforts, AdvaMed said in response to Warner.

One strategy for preventing cyber crime in healthcare that has received less attention is FDA’s effort to incorporate so-called “white hat” hacking techniques into its cybersecurity program.

FDA is likely to improve the odds that medical device and digital health technology will remain safe for patients by adopting the same tools used by hackers who are potential adversaries, Califf and Perakslis wrote in the JAMA Viewpoint article. To that end, the agency launched a #WeHeartHackers challenge to encourage device makers to join cybersecurity researchers at the Biohacking Village at DEF CON, the international hacking conference. The event takes place Aug. 8-11 in Las Vegas.

“By adopting the toolsets used by their potential adversaries, it is likely that the FDA has significantly improved the likelihood that internet-connected medical devices will remain safe and resilient for patients by employing countertactics tailored to meet specific threats,” Perakslis and Califf said. Califf was FDA commissioner from February 2016 to January 2017 under President Barack Obama.

The authors said such an approach is necessary to counter the potential threat of death and disability caused by misleading medical information. The spread of misinformation about vaccines is driving the current measles outbreaks in New York and causing some people to avoid drugs that have been proven effective, such as statins for coronary artery disease and chemotherapy for cancer, they said.

“The wider medical and scientific establishment should follow the lead of the FDA’s #WeHeartHackers strategy and embrace the use of white hat techniques to confront medical misinformation,” Califf and Perakslis wrote.