The FDA needs to step up its information security review standards to identify, monitor and address the threat of malicious medical device hacking, according to a newly released report from the Government Accountability Office.
Acting on a request from a trio of U.S. House members, the GAO investigated the current state of medical device software review, finding the FDA’s oversight of information security non-existent in relation to intentional threats.
"In order for medical devices to be considered safe, they must also be secure," the authors noted, calling on officials at the Dept. of Health & Human Services to update the FDA’s review guidelines to consider the hack-ability of medical devices.
Although the FDA has long considered threats from unintentional sources, such as electromagnetic interference that may disrupt pacemakers or neurostimulators, the agency has no controls for assessing intentional interference, such as the unauthorized access or malware from malicious parties, according to the report.
"Examining the information security risks of certain active medical devices, especially with respect to intentional threats, is a relatively new field for federal regulators and information security researchers," the GAO wrote. "As technology evolves and medical devices become more complex in design and functionality, the potential for these risks occurring is also likely to increase."
AdvaMed 2012 conference-goers, make sure to attend our panel presentation, "The Hackable Body – Should We Worry About medical Device Hacking?" on Wednesday, October 3 at 10:45 a.m. at the Boston Convention & Exhibition Center.
Have questions you’d like addressed during the panel? Send them to Arezu@MassDevice.com and we’ll include them in the panel presentation.
HHS authorities agreed with the GAO’s assessment, according to a written response to the report.
"To ensure the safety and effectiveness of active implantable medical devices as the technology evolves, HHS concurs with GAO that the agency continuously develop and implement new strategies designed to assist the agency in its medical device premarket review and post-market surveillance efforts relative to information security," according to the HHS letter.
The HSS response further outlined existing efforts to bolster post-market surveillance, which were initiated separate from the GAO’s investigation.
"CDRH continues to examine its consensus standards in the area of wearable and implanted devices including exploring the possibility of using and adapting available standards from other cyberphysical system sectors such as industrial control," HHS wrote. "The Center has engaged with stakeholders to begin the process of studying what is available from other sectors and, where appropriate, tailoring it to healthcare."
The GAO analyzed a few pre-market review applications for signs that FDA’s review may consider medical device software security, looking in particular at submissions for a pacemaker and an insulin pump that had been hacked by researchers and computer security experts.
The GAO’s assessment concluded that the FDA’s hadn’t considered any factors surrounding information security, and that FDA officials "have only recently considered information security risks resulting from intentional threats because they did not previously consider such threats as reasonable and likely at the time of their earlier reviews."
The FDA seems to have changed its tune, responding to the GAO’s recommendations with a promise to complete a review of its medical device software evaluation standards before the end of the year.
“It is unclear if the [FDA] could successfully identify information security problems with active implantable medical devices were they to occur.”
"In the future the agency intends to enhance its efforts related to information security," the report stated. "Officials said the agency will consider information security risks resulting from intentional threats when reviewing manufacturers’ submissions for new devices."
The FDA did not, however, provide any milestones for reviewing and updating its risk assessments or implementing changes, the GAO noted.
Although the FDA plans to take another look at medical device hack-ability, the GAO wondered whether the agency has the tools to deal with the issue.
"FDA’s post-market efforts have several limitations, and it is unclear if the agency could successfully identify information security problems with active implantable medical devices were they to occur," according to the report.
One major limitations the GAO noted was a lack of reliability in the FDA’s MAUDE medical device adverse event reporting database, a passive surveillance system that relies on manufacturer, consumer and healthcare provider reports to monitor devices.
The GAO ultimately offered 4 recommendations for strengthening the FDA’s oversight of medical devices in relation to information security:
- Increased focus on manufacturers’ identification of intentional and unintentional threats, weaknesses in software systems and strategies for dealing with security risks,
- coordination with other government agencies that deal with software security issues, including the Dept. of Homeland Security and the National Institute of Standards & Technology,
- bolstered post-market efforts for identifying and investigating security problems,
- and established milestones for review, revision and implementation of new security guidelines.