However, the FDA highlighted that balancing security with medical device functionality would be challenging. The previous GAO report stated that mitigating security risks could affect the performance of the devices, such as limiting battery life with newly implemented controls. The FDA included this in their final guidance document and urged that “security controls should not unreasonably hinder access to a device intended to be used during an emergency situation.”
The agency concluded with the recommendation that medical device manufacturers provide justification in the premarket submission for the security functions chosen for their medical devices. In comparison, the agency’s draft guidance “General Wellness: Policy for Low Risk Devices” that was issued in January 2015 does not require low-risk products like fitness trackers/wearables or apps to monitor daily energy expenditure and caloric intake to have similar security measures.6
Even with the cautionary measures implemented by manufacturers and regulatory agencies, there is still a potential for connected medical devices to be maliciously altered remotely via hacking.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, MD. MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health.
“It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”7
Clinicians should be aware of the security risks associated with connected medical devices and take all proper precautions to prevent or limit security breaches. Patients using these devices should also be aware of any unusual activity from the devices that may indicate that the security has been compromised.
- Robertson, J. McAfee hacker says Medtronic insulin pumps vulnerable to attack. Bloomberg Business. http://www.bloomberg.com/news/articles/2012-02-29/mcafee-hacker-says-medtronic-insulin-pumps-vulnerable-to-attack. Published February 29, 2012. Accessed March 31, 2015.
- United States Government Accountability Office. Medical devices: FDA should expand its consideration of information security for certain types of devices. http://gao.gov/assets/650/647767.pdf. Published August 2012. Accessed March 31, 2015.
- Medtronic Statement on Medical Device Security. http://newsroom.medtronic.com/phoenix.zhtml?c=251324&p=irol-newsArticle&ID=1866063. Published October October 19, 2013. Accessed March 31, 2015.
- Zetter, K. It’s insanely easy to hack hospital equipment. Wired. http://www.wired.com/2014/04/hospital-equipment-vulnerable/. Published April 25, 2014. Accessed March 31, 2015.
- U.S. Department of Health and Human Services, Food and Drug Administration, Center for Devices and Radiological Health, Office of Device Evaluation, Office of In Vitro Diagnostics and Radiological Health, and Center for Biologics Evaluation and Research. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff. http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/
ucm356190.pdf. Published October 2, 2014. Accessed March 31, 2015.
- U.S. Department of Health and Human Services, Food and Drug Administration, and Center for Devices and Radiological Health. General Wellness: Policy for Low Risk Devices, Draft Guidance for Industry and Food and Drug Administration Staff draft guidance. http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/
ucm429674.pdf. Published January 20, 2015. Accessed March 31, 2015.
- Food and Drug Administration. The FDA takes steps to strengthen cybersecurity of medical devices. http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm. Published October 1, 2014. Accessed March 31, 2015.
This article originally appeared on MPR