When Medical Device Cybersecurity Becomes a Crime | Ep. 36

This episode of The Med Device Cyber Podcast discusses a significant shift in the consequences of cybersecurity flaws in medical devices, moving beyond simple data breaches to legal prosecution. The hosts, Christian Espinosa and Trevor Slattery, center their conversation on a recent enforcement action by the U.S. Department of Justice (DOJ) against medical device manufacturer Illumina. They explain that Illumina faced legal action for selling their system under false claims, misrepresenting its security posture and failing to disclose known vulnerabilities. This case serves as a critical example of how cybersecurity failures can now constitute breaking the law. The main argument of the episode is that the stakes for medical device cybersecurity are immensely higher than for other industries, including general healthcare IT. While a HIPAA violation concerns the privacy of health information, a cybersecurity failure in a medical device can directly lead to patient harm, misdiagnosis, or even death. This increased risk to patient safety has prompted heightened government scrutiny. The hosts introduce the DOJ's "Civil Cyber-Fraud Initiative," which leverages the False Claims Act to prosecute government contractors and vendors—including those in healthcare—who knowingly misrepresent their cybersecurity practices. This initiative marks a new era where companies can be held legally and financially accountable for fraudulent security claims, not just penalized for breaches. The discussion also explores why this legal shift is happening now. The hosts attribute it to the rapid evolution of the cybersecurity industry and the inherent lag in regulatory adaptation. As the industry matures, regulators and law enforcement are developing more robust ways to enforce standards and punish negligence. They contrast the focus of HIPAA on information protection with the new emphasis on tangible patient safety. This evolving landscape necessitates that medical device manufacturers adopt a proactive, 'security by design' approach, integrating robust security from the very beginning of their long development cycles, rather than treating it as an afterthought. Failing to do so not only creates clinical risk but now also carries severe legal and financial repercussions.

Host: Hi, welcome to another episode of the Med Device Cyber Podcast. Today we're talking about what happens when your cybersecurity flaw doesn't just cause a breach, but it breaks the law. And there's been a recent case where the Department of Justice uh, had an enforcement against a medical device manufacturer, Illumina, and this is public knowledge, because they sold their system under false claims. There was some false pretenses about how secure the system was and the exact vulnerabilities weren't disclosed. They were sort of hidden. And the whole idea is that cybersecurity failures today are now being prosecuted, not just penalized, because the risk is much greater with medical devices. We're looking at patient safety. We're looking at potentially killing a patient or maiming a patient or misdiagnosing a patient. Uh, and this is a a much greater risk than something such as HIPAA, which has traditionally been the enforcement with health in within the healthcare umbrella. So, before we like dive in too much, uh, I want to introduce our co-host who he's here he is, Trevor. Trevor's coming to us. He just moved to California, the Bay Area, and he was explaining that he doesn't have California license plates or driver's license, so he has to move his car quite often so he doesn't get a ticket. Is that, is that what you were saying? Guest: Yeah, so in our, in this neighborhood, you have to have a parking permit to park for longer than two hours. To get a parking permit, you need California registration. To get California registration, I need to get uh, California insurance. To get that, I need California residency. And since I just moved here, I don't have any bills or any receipts, anything like that. So this is a, this is going to be a fun month of shuffling around my car every two hours. In a parking garage, the closest one to me is $500 a month. So I'm not going to do that. I'm just going to do the car shuffle for a for a month. Host: So this is particular to your complex then? Because I mean I've traveled to California with an out-of state license plate and I didn't have to move my car all the time, but I'm not living in a neighborhood. Guest: It's just a San Francisco thing. There, this neighborhood has parking parking permits and all that. Some don't. And so sometimes people just leave their car wherever across the city and then just take the bus back and forth to their car. Host: Yeah, I I guess that makes sense because I've I've been to California quite a bit and I would see these old RVs parked in random neighborhoods and they seem like they just park there and live in those RVs. So I I understand the problem they're trying to solve. So no worries. Uh, I'm still in Phoenix today. Uh, supposed to be another hot day. I went out for a walk yesterday. It was like 118, but uh, I it cooled down I think to 111 when I walked. It was a little bit later, but still pretty hot. Guest: A nice cool temperature of 111, perfect for a walk. Host: Hey, it's a dry heat. I was in New Jersey not too long ago and it was like 95 and 99% humidity, so that felt hotter to me than than here. Guest: Yeah, Phoenix doesn't feel too bad. If you're out of the sun, it feels quite nice actually. Host: Yeah, the sun is definitely intense, yeah. Host: Awesome. So let's uh, dive into this civil cyber fraud initiative which is DOJ's initiative to use the False Claims Act to really, uh, pursue vendors and contractors that misrepresent their cyber cybersecurity protections. Uh, and and in particular in healthcare. Uh, what are your, what are your, what is your thoughts like why we're moving this direction and how come we haven't been doing it, you know, more diligently in the past? Guest: Cybersecurity is still a pretty new industry as far as things can go and it's so rapidly evolving. We even look at the addition of regulatory requirements around cybersecurity was only two years ago. So this is a fairly new industry and it's so rapidly evolving. I think that, you know, governments around the world are trying to figure out ways to get on top of it. And unfortunately regulation moves a little bit slower than some industries such as cybersecurity. So it's an especially hard problem to solve. What we're trying to do now is bring some enforcement to an actual consequence, an actual punishment if cybersecurity standards are not adhered to. Uh, when going through different processes, trying to certify, for an example, if you're, you know, getting a car sold in America or getting a medical device sold in America or industrial control systems and automation systems, these all have different cybersecurity requirements that are constantly getting more and more strict and evolved, especially in healthcare. And if these are violated, now there's going to be an enforced actionable punishment against the companies that knowingly violated best cybersecurity practices. Host: Knowingly violated is a key. Yeah. And we've been enforcing HIPAA for like a really long time. So is this a big shift in your opinion, like away from, or maybe in, in parallel to like this HIPAA enforcement that's been going on? What what are your thoughts on HIPAA versus what we're talking about here with medical devices? Guest: Well, looking at HIPAA, we can just break apart the acronym to see how it's a little bit different. It's the Health Information Protection and Privacy Act. And that is looking at healthcare information. With a medical device, of course that's going to be relevant. We think about how many different systems now integrate with electronic health records, saving clinicians tons of time and processes are super automated and easy to follow now. But there's an added layer. There's the patient harm layer. Think about an implantable device like a drug infusion pump or a pacemaker is another great example. If one of these devices gets hacked into, it's not really going to be much of a concern around the healthcare information. It's going to be a direct safety consideration. So even though of course it's very bad, it's very dangerous. It can lead to a lot of downstream problems. If your healthcare records get breached, it's not a safety consideration. You aren't going to be directly physically harmed because of it. So this is why it's a little bit of a new, it's a bit new in the space. There aren't too many industries where cybersecurity can lead to tangible physical harm or even death in some cases. So I think that's a little bit of a disconnect between this industry and other industries, which is why it's so rapidly evolving and why it's a little bit different from HIPAA. And so we're seeing some different controls and different consequences as opposed to HIPAA compliance. Host: Yeah, and I agree, I I I mean the risk is much greater as we always talk about with a medical device versus someone stealing your PHI, which is, you know, all of mine's been stolen probably a thousand times already. Um, but it it's not directly impacting my health right now or anything. You know, like a surgical robot performing surgery on me, on my knee, and it goes haywire could damage my knee obviously. So with the Illumina case, I think this one's pretty interesting and I I was wondering if this would have even come to light if they didn't sell into federally funded healthcare organizations because, you know, anytime you sell something to the government, you're under more scrutiny and you're in their crosshairs of their regulations. Um, I know there was a whistleblower involved but what's kind of a little bit of the backstory on the Illumina case from your that that you're aware of Trevor? Guest: So you touched on a couple of the key main points there. There was a whistleblower involved who went to the DOJ to talk about these problems or either to the DOJ or the FDA. I'm not sure on the exact details there. But this was sort of a joint effort with the Department of Justice and then the U.S. FDA to try to prosecute this. Since the FDA is responsible for medical devices and the FDA sets and enforces these controls for cybersecurity. Of course, it's the Department of Justice that's executing that enforcement, but the FDA sets these standards. Now, selling into a government agency is certainly going to be part of it. There, you know, you have to go through the FedRAMP process to get approved and to get on the government supplier list, things like that, which is generally a little more strict than some private controls. But I don't think this would have stayed buried even if they were only selling privately. Uh, the class of device that is typically in this diagnostic space will fall under the PMA pathway, and the PMA pathway requires annual reporting on all sorts of different factors. But relating to cybersecurity, it is based off of cybersecurity effectiveness, controls, patching rates, lots of stuff like that. So I feel like the cracks would have started to show eventually one way or another. They may have come up during an audit by the FDA or even as part of that annual reporting. Now, I think that it's good that obviously it came out sooner than later. Uh, they, after a deeper investigation, it turns out that a lot of very critical security controls were completely omitted from the system. The, uh, Illumina knowingly and admittedly did not follow security by design principles. So they integrated a lot of different software, a lot of different products or product components into their system while knowingly doing so in a risk, risky manner, uh, especially in the diagnostic space. This can lead to misdiagnoses, mistreatments or, yeah, I guess it would be a mistreatment. Um, maybe the administration of therapy that could be potentially harmful. You think about something like a cancer diagnosis and a cancer treatment. If you are misdiagnosed with cancer, chemotherapy is brutal and it's terrible for you. Even if you have cancer, it's really, really hard on your body. So you have to imagine what if you don't have cancer and you're unnecessarily going through a really rough treatment? Host: Yeah, and some of the internal communications were made public as well uh, whether the organization, I think the whistleblower or someone in that person's uh, area of work flat out said that this device is not secure and there are major risks with it, but they chose to go ahead and put it to market anyway. Guest: Yeah, there were some internal communications where they knowingly had documented that there were uncontrolled risks in the system and had that written down and secured internally that it should not be used in a healthcare delivery organization due to these uncontrolled risks and then sold it anyways. So there was a lot that went wrong with how this was handled and it came out to be essentially a willingly, an act where they willingly were trying to defraud the FDA based off their security controls and saying that they had a secure product when they didn't. Um, integrating this into other systems can be a huge risk as well. I know we talked about the consequences of a misdiagnosis or something of that nature. But think about the fact that this is going to be used, you know, systems can be used in a wide range of environments. In a healthcare delivery organization, think about how many hundreds if not thousands of different medical devices are there. What if one of them gets compromised that leads to other ones getting compromised and further downstream consequences there can be pretty significant. Host: And this is an interesting scenario uh, and maybe it will change the landscape a little bit because I I don't know of too many cases like this Illumina case that have come to light with medical devices and the Department of Justice and legal ramifications. Uh, because I think this probably happens more often than we like to think of because if if I'm a company and I'm losing money during development, the sooner I get my product to market, the quicker I can start generating revenue. So I think a lot of companies probably take some risk to get that product to market. It's just a matter of like what types of risks they're actually taking and which ones are acceptable. And I and it sounds like the ones that Illumina took are not acceptable due to the criticality of their device and the class of their device. Um, but I know we've had clients in the past that, I don't know if it was an organization as a whole or like the specific software developer that we pointed out something that was pretty major and they fixed it in this one little area to try to fool us but didn't fix it across the system as a whole. So I have to wonder like why are they doing that? I, is it to to test how good we are or they just want to, you know, check a box and move on and they don't actually care about the security? Um, or it might just be the software developer's personality. I don't know. What are your what are your thoughts on that? Guest: Yeah and that specific scenario was a very interesting, they applied a control to one user account specifically instead of doing it globally and of course that was our test account that we were using. So we were able to see, we had some other vulnerabilities, we were able to compromise other accounts and we saw through those accounts that this was not a global control. Uh, often times it can be trying to reduce time to market or trying to speed up a process. There might be some technical constraints that are baked into the device where a remediation is just impossible. It's going to have some level of risk. And this generally means that we've shifted security too far down the line. The FDA states that we should build security into our devices which helps prevent these problems. If security is built into a product, you aren't going to have to worry about down the line going "Oh, we made a critical design flaw that is inherently insecure and it's going to take us months to fix this problem." It would have been caught early on when trying to evaluate the security implications of these problems. Now with medical devices, it's a very difficult problem since, like we said, this is a very new problem. Uh, the FDA guidance on cybersecurity came out in September of 2023 and the average time to develop a medical device is around seven years. So it hasn't even been two years since this guidance has been in place and manufacturers are submitting devices that they've been developing for five years before the guidance came out. So trying to retrofit security by design for some of these currently in-development devices is very difficult. Host: Yeah, that's a very good point because I know we have a prospect that may become a client. Uh, their device I think, their estimated release date is in 2031, I believe you told me. Is that right? Guest: Yes. Host: That's uh, you know, six years from now. So they're developing it now or starting to develop it over a six-month time frame if you don't consider cybersecurity from the beginning. In that, or six-year time frame I'm sorry, there are a lot of things that you could do poorly or things that just may evolve from a risk perspective. So yeah, it's a it's a big challenge actually, especially given that that length of time. Guest: Definitely. And you know, of course, cybersecurity is only one of the dozens of things that have to be considered when developing a medical device and unfortunately it can fall a little bit to the back burner when everyone's dealing with their clinical trials or their pivotal studies, human factors, animal tests. There's so many different things that are going to go into medical device development and really development in any regulated industry. Uh, cybersecurity can just be an afterthought far too often, but it is the new hot topic for the regulators as we can see it's getting enforced, it's getting punished. It is really at the front of mind for not only regulators but law enforcement as well. So mishandling it is going to become more and more significant of a problem. Host: Yeah, 100%. And we're shifting from you know, just just being a technical risk. Obviously with this case to, there's legal, there's legal risk involved as well. And we've talked about the, we've talked about this on almost every episode I feel like these days, the SPDF, the secure product development framework, as a way to help build security into the device. Uh, do you feel manufacturers are starting to consider that or we are we seeing improvements or shifts in the industry in a positive way with secure product development? Guest: Well anecdotally, looking at what we see coming in on you know, the sales side of things, what we get for inbound discovery requests, I think the amount of companies that we're seeing come in say, "Hey we're submitting in 12 months or 18 months but we want to start designing more controls into the device early," and then work on our testing and documentation you know, four to six months out. That we've seen a massive uptake in that recently, which I think is great. It does show that the industry is starting to mature a little bit. Um, and you know, this is partially due to manufacturers coming in that we've had as previous clients where we talk about some of these problems, we point out a bunch of pain points through doing it at the last minute and they go, "Wow, that was really rough to do last time. Let's try to fix this up for next time." So we are seeing a little bit of that as well. But in general, I do think that the industry is starting to get a little bit wiser to some of the cybersecurity problems that come up. It's still a little bit of a slow progression and we're still dealing with retro-fitting devices currently in active development to new cybersecurity standards. So it's not a perfect solution but I think we're getting there. Host: Yeah, I agree with that. You know, when you're talking about the sales cycle and discovery meetings, it seems like we've had an uptick in people that did a submission but they've done some research and they're anticipating deficiencies. So they'll come to us proactively saying, "We're expecting to receive deficiencies on XYZ cybersecurity controls. So can you be on standby to help us when we get these deficiencies?" So they're like, they're already aware, um, and that awareness is, you know, came during their submission or shortly thereafter. So I I think the industry as a whole is starting to gain some of that awareness based on, you know, what we're seeing inbound from a lead perspective. Guest: We've even had a couple of companies with honestly a bit of an interesting submission strategy and it ends up working out fairly well where they submit with what they have to try to stay on their timeline but they understand how long FDA review cycles take. And so often times you'll submit and then you sit around and wait for months to hear a response. And so they submit, they come to us and say, "Hey, we know we didn't do a good job on our cybersecurity testing and documentation. Can you take a look at it? Figure out what the FDA is going to say before they say it?" and then just proactively create all this gap analysis. So even past being on standby, they just submit and go, "We know we're going to get kicked back, let's start over." And then when the FDA does come back and they say, "Hey, here are all the deficiencies and problems," they go, "It's funny you should mention that, we already have a solution. We've been going through the testing, remediating these problems, building out new documentation during your review cycle." And then once you're in the review cycle, you get a faster turnaround time from the FDA. And so they submit their cybersecurity, deal with any questions or clarifying comments around, you know, their clinicals, their biocompatibility, any of these other problems that they might encounter. And so it actually can end up speeding up the process weirdly. Host: It's a good point. It's all about the regulatory strategy and how you think you can work the system to get things through the quickest. And I've seen a a big uptick in that. Let's just get the process started with the FDA and then anticipate the deficiencies and have a package ready to to address it as soon as we receive the the notice. Guest: Yeah, submit good enough and then hope for the best. Host: For sure. Why do you think we're in this uh, scenario? Because I know in business there's always this challenge of aligning your sales team, your engineering team, your marketing team, your compliance team. Uh, and I guess it's it's a big challenge I think for a MedTech innovator because you're you're trying to sell this thing almost all the time before you actually have it developed and you're trying to appease your investors. So from an, a challenge perspective, how do we make sure our devices are actually secure and how do we align all these different functions of our organization to to be on the same page? Or is that even feasible, do you think? Guest: It's difficult. Medical devices are very tightly regulated. They're very expensive to develop. It takes a lot of time, takes a lot of skill, takes so much, you know, regulatory padding and different alignment of processes. I think that's why we see such a high failure rate in MedTech startups. I know you've had conversations with investors in the past that have shared as high as 93% of MedTech startups fail since often times people go into this not knowing how complicated it can be. But having, I guess starting with the end in mind is something that I've heard all the time from people trying to help MedTech innovators, investors, like go-to-market strategist. So what is your end goal and what... Host: That's my tagline. Yours is early and often. I always say start with the end in mind. Guest: Yeah, exactly, work backwards. Yeah, and so then we can tie them in together. Start with the end in mind. What's your goal? Where do you want to end up? And then how are you going to get there? What do you need to do? Start it early, do it often. Make sure you're covering all of your bases all the way through. Even looking at, you know, and this is going to apply to more than just cybersecurity, so it's general for regulatory for innovators. We look at the total product lifecycle. And we think of total that's covering development all the way to decommissioning down to the end of life. So how are we handling every single different aspect of security, of dealing with, you know, user notifications, of dealing with software updates, changes to your intended use cases throughout the full life cycle of the product and making incremental adjustments as you go so that it's not anything that piles up towards the end? Host: Yeah, 100%. And I think we are finally getting to the point where cybersecurity can be considered a clinical risk. And I think before we've been talking about this for a long time, but this case and a few other things that have happened relatively recently have indicated that we're moving that direction and people are finally starting to take cybersecurity uh, for real. Uh, because we've had a number of incidents where like poor cybersecurity is been tied to patient mortality, uh, increased patient mortality when there's delayed treatment because a device has ransomware or imaging systems are offline and you know, all these things cause mortality but people just haven't directly, for some reason, tied them to cybersecurity and I think we're starting to see that that tie start to come together. Guest: Yeah, even recently, and I know we've talked about this on some previous episodes, but there was a ransomware attack against the blood center which was performing dialysis and cancer treatments in the UK. And this, it was a little bit more remote and when they got ransom, they could deliver no treatment for weeks. Every single one of their systems was locked up and so a lot of people who needed critical care, you think about dialysis, you're on a timer. You need to get that done pretty often. A lot of cancer treatments for very advanced things like blood cancer can act very quickly and kill very fast. And there were deaths directly tied to this ransomware attack and denial of service and denial of availability for treatment. So we are seeing, I think that we're coming to, coming to the realization as an industry, this is a really big problem and people can die, people can get really hurt where before it was a little bit more of a hypothetical what if this happened? You know, we want to try to get ahead of it but now I think we're seeing it happened to some places that are maybe still getting caught up to the latest, latest and greatest for cybersecurity. Host: Yeah, I agree with that. So I think a couple key takeaways are, I guess one is, you know, when you lie about cybersecurity, you don't just risk a data breach, you're risking the DOJ coming after you at this point. Uh, you know, there's some legal ramifications that have greatly increased. And something else if, like HIPAA, with your medical device, if it touches patient care, then it touches the federal government, and in particular the federal government in terms of enforcement. So it's, we're we're really seeing the uprise in scrutiny and government oversight of medical devices because, as we talked about in this episode, it's becoming tangible. It used to be theory, in theory somebody could kill someone with a medical device. Now it's becoming tangible. So I hope you enjoyed this episode of the Med Device Cyber Podcast. We're going to wrap it up here and as always, if you need any help with medical device cybersecurity, feel free to reach out to Blue Goat Cyber. Thanks and hope to see you on the next one.