Assessing Medical Device SecurityPanel Calls for Pre-Market Security Reviews
A federal advisory board is calling for the security of medical devices to be assessed before the devices are approved for sale.
See Also: Top 50 Security Threats
The Information Security and Privacy Advisory Board is highlighting the issue because a growing list of medical devices, such as pacemakers and insulin pumps, are operated by software connected to the public Internet, often through wireless connections.
Last year, news about an "ethical hack" of a Medtronic insulin pump, which had a wireless transmitter, called attention to the medical device security issue.
"With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels," the board wrote in a letter to the Office of Management and Budget. The letter also was sent to a number of other agencies, including the Department of Health and Human Services and the National Institute of Standards and Technology.
In its letter, the advisory board recommends:
- A single federal agency, such as the Food and Drug Administration, which regulates medical devices, should be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices. An agency should also conduct post-market surveillance of cybersecurity threat indicators.
- The U.S. Computer Emergency Readiness Team should create defined reporting categories for medical device cybersecurity incidents. "Coordination is necessary with US-CERT to establish mechanisms that incentivize government, providers and manufacturers to collect cybersecurity threat indicators so that the country is prepared for the inevitable growth in device incident reports," the letter states.
- The FDA should collaborate with NIST to research security features that could be enabled by default on networked or wireless medical devices in federal settings.
- The federal government should assign a lead entity, such as the Health Resources and Services Administration or FDA, to establish better training and education to inform users, healthcare organizations and manufacturers about the risks associated with networked and wireless medical devices.
- Further study should be conducted to determine whether additional policy or legislative changes are needed to promote medical device security.
Meanwhile, four U.S. senators recently introduced legislation that would require unique identifiers for implantable medical devices and ongoing monitoring of the devices for safety issues (see: Bill Would Mandate Medical Device IDs).
Last July, the FDA submitted a proposed rule calling for such an identifier to the Office of Management and Budget, which reviews regulations before they go through the final approval process. But OMB has yet to release the rule.
The senators contend that a unique identifier will make it easier to track down devices that are harmful or defective. They note that harmful or defective devices were associated with the death of almost 5,000 Americans in 2009.