FDA must focus on protecting implantable medical devices from hacking

The Food and Drug Administration needs to pay more attention to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps, the GAO says, including the threat of hacking and sabotage.

Although the FDA previously has considered information security risks from unintentional threats in select pre-market reviews, the new element highlighted by the General Accountability Office report are intentional threats.

The FDA "did not consider information security risks from intentional threats as a realistic possibility until recently," according to the report, "Medical Devices: FDA Should Expand its Consideration of Information Security for Certain Types of Devices." Those risks have grown along with the devices' accessibility via wireless technology, the GAO said, and were proven in recent tests in which information security researchers deliberately manipulated two types of devices.

Medical device cybersecurity is an "emerging problem," including for implantable devices, Dale Nordenberg, a pediatrician and executive director of the Medical Device Innovation, Safety and Security Consortium, told FierceEMR in an interview last spring. The Information Security and Privacy Advisory Board (ISPAB) formally warned of the risks in an April 2012 letter to the Office of Management and Budget and the U.S. Department of Health & Human Services, among other agencies.

In their report, GAO auditors noted that the FDA's current system for post-market adverse event reporting relies heavily on self-reporting from manufacturers. One problem is that while device makers may be attuned to clinical risks, they might not understand the relatively new information security risks, the auditors said.

The FDA said it already has taken steps toward GAO's recommended action of developing and implementing a formal plan to expand its focus on information security risks, and specifically will reassess how it evaluates the software used in active, or self-powered, implantable medical devices.

Earlier this month the FDA issued a report recommending establishing a unique device identification (UDI) system for medical devices and facilitating development of national and international device registries to be integrated into electronic health records. The report also recommended updating how adverse events are reported and analyzed.

To learn more:
- read the GAO report (.pdf)