Threats in the Cyberage
FDA Urged to Develop
Information Security Plan
for Medical Devices
The U.S. Food and Drug Administration is ill-prepared to deal with information security threats to certain medical devices, according to a new federal report that urges the agency to greatly enhance its review and surveillance capabilities “as technology evolves.”
The report by the General Accountability Office, the investigative arm of Congress, describes an agency that doesn’t fully appreciate the vulnerability of some medical devices in the cyberage, particularly those that are wireless and particularly when it comes to dealing with acts of sabotage.
“While FDA has considered some information security risks associated with unintentional threats during its PMA [premarket approval] review process, such as interference, it has not considered others, such as patch and vulnerability management,” says the report, Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. “Additionally, FDA has not considered information security risks resulting from intentional threats.”
The report also says the FDA has not utilized resources, such as a National Vulnerabilities Database, to get a better handle on the risks, and questions whether the agency could quickly and effectively respond to a problem.
“FDA’s postmarket efforts have several limitations, and it is unclear if the agency could successfully identify information security problems with active implantable medical devices were they to occur,” the report reads.
The report, which was publicly released in September, recommends that the commissioner of the FDA “develop and implement a more comprehensive plan” to better ensure the safety and effectiveness of active implantable medical devices. The plan should, “at a minimum,” include details on how the FDA can:
- Increase its focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process
- Utilize available resources, including those from other entities, such as other federal agencies
- Leverage its postmarket efforts to identify and investigate information security problems
- Establish specific milestones for completing this review and implementing these changes
The report, which can be accessed here, stresses that while the potential to deliberately hack certain medical devices has been demonstrated, “no actual incidents are known to have occurred.”
Still, this is at least the second federal report this year to highlight the risks as more medical devices are connected to information networks and operating wirelessly. In March, the Information Security and Privacy Advisory Board warned of a “significant risk of harm” to patients if cybersecurity vulnerabilities were not given greater consideration before and after devices are approved for sale.
Posted: October 4, 2012