FDA Seeks Comment on Guidelines to Prevent Hacking of Medical Devices

By: Fran Kritz

December 3, 2020

The Food and Drug Administration (FDA) recently published a draft paper, Communicating Cybersecurity Vulnerabilities to Patients: Considerations for a Framework and is seeking input on best practices when healthcare providers communicate with patients and caregivers about maintaining cybersecurity for medical devices. According to the agency, the increased use of connected medical devices—such as implantable glucose monitors and blood pressure monitors that download data to doctors’ offices, and even hospital systems, increases the potential for hacking. The new guidance proposal follows 2018 draft guidance on managing cybersecurity in medical devices.

The potential risks are numerous, said David Finn, executive vice president for strategic innovation at Cynergis Tek, a cybersecurity consulting firm in Austin Texas. Hackers could gain personal and financial data from a patient by gaining access to a device, but more worrisome is the potential for them to gain access to provider and medical center data systems if patients’ devices are connected for downloading “as they increasingly are,” said Finn. The likelihood that medical staff are working remotely during the COVID-19 pandemic has increased vulnerability and access to data via patient devices because health care providers and their staff may  be working at home without password protection, increasing the risk of data theft and hacking.

The FDA said it plans to use the comments it gets on the document to help the agency with future efforts including guidance documents and potential regulations.

While the new guidance document doesn’t offer examples of specific medical devices that have been hacked, Finn shared one: In 2018 the Department of Defense banned fitness trackers for members of the military out of concern that their movements could be traced.

Issues the FDA is seeking comment on include:

  • Discussion of risks and benefits
  • How to make information easily understood and findable online, accessible on mobile devices and for people with disabilities.
  • Structure of the guidance, including how best to highlight the most important information for consumers
  • Key messages
  • Ideas for outreach and distribution vehicles such as listservs, text messages, social media, television, and websites

The FDA also acknowledged the need to consider age, race, ethnicity, languages, geography, diseases, and the types of devices used for both health care and communication when determining best messages and messaging. Comments are due by December 21 at www.regulations.gov.