GAO Spotlights Medical Device SecurityYet Another Call for FDA to Take Action
The Government Accountability Office is the latest organization urging the Food and Drug Administration to develop a plan to improve post-market surveillance of information security risks in implantable medical devices.
See Also: Top 50 Security Threats
A new GAO report recommends that the Department of Health and Human Services direct the FDA to develop and implement "a more comprehensive plan to assist the agency in enhancing its review and surveillance of medical devices as technology evolves, and that will incorporate the multiple aspects of information security."
Some implantable medical devices are wirelessly connected to a network and thus are potentially vulnerable to malware.
The GAO's recommendations are similar to recent suggestions from other organizations. For example, a study published in July by Harvard Medical School and others criticized the FDA for collecting little data about medical devices experiencing adverse events related to software or security issues. And in April, the Information Security and Privacy Advisory Board asked regulators to improve the cybersecurity of wireless medical devices.
The GAO's Findings
In the GAO's new report, the oversight agency writes, "Medical devices may have several vulnerabilities that make them susceptible to unintentional and intentional threats, including untested software and firmware and limited battery life. Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls."
The GAO recommends that to ensure the safety and effectiveness of active implantable medical devices, the FDA should "develop and implement a more comprehensive plan to assist the agency in enhancing its review and surveillance of medical devices as technology evolves, and that will incorporate the multiple aspects of information security."
Although researchers have recently demonstrated the potential for incidents resulting from intentional threats in two devices - an implantable cardioverter-defibrillator and an insulin pump - there have been no such incidents reported, the GAO notes.
The GAO recommends that an FDA plan should include, "at a minimum, four actions," such as determining how the agency can:
- Increase its focus on manufacturers' identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its pre-market approval review process;
- Utilize available resources, including those from other entities, such as other federal agencies;
- Leverage its post-market efforts to identify and investigate information security problems;
- Establish specific milestones for completing this review and implementing these changes.
HHS generally agrees with the GAO's recommendations. In a letter of comments about the report, HHS described a number of relevant efforts that its FDA unit has initiated that address issues the GAO highlighted. Those efforts include developing Unique Medical Device IDs that could help FDA identify specific medical device models experiencing information security problems. Another initiative is a new adverse event reporting system due in September 2013 to replace the FDA's 15-year-old reporting systems.
During the month of September, the FDA hosted a number of pubic meetings to solicit ideas for improving medical device post-market surveillance. The agency also released a report of its own: "Strengthening Our National System for Medical Device Post-Market Surveillance" (see: Monitoring Medical Devices: An Update).
FDA officials declined to comment on the GAO report.
Safety Concerns Voiced
The GAO report, "Medical Devices: FDA Should Expand Its Consideration Of Information Security For Certain Types of Devices," is the latest in a series of calls for FDA to ramp up surveillance efforts of information security problems in medical devices that could pose safety concerns for patients.
A July report from Harvard Medical School University of Massachusetts Amherst, and Beth Israel Deaconess Medical Center found that information spanning a nine-year period can be extracted from the FDA databases to find records about the reporting of adverse events and recalls of devices that had problems with labeling, battery failure, sterility and software issues. However, little or no information was available about product recalls and adverse events related to privacy and security problems (see: Medical Device Security Info Lacking).
And in April, the Information Security and Privacy Advisory Board wrote a letter to several federal agencies spelling out recommendations for improving cybersecurity of wireless medical devices. Among the recommendations was that a single federal agency, such as the FDA, be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices (see: Medical Device Security: Call to Action.)
Those recommendations have been endorsed by various industry groups, including the Medical Device Innovation, Safety and Security Consortium.
Meanwhile, the potential for cyberthreats affecting the safety of medical devices is worrying information security leaders on the front lines at some healthcare organizations.
Among those concerned are Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston.
Users of web-enabled and other medical devices with various embedded technologies are not allowed to apply operating system patches or utilize anti-virus programs to the products for fear that the software updates with affect product safety, Olson notes.
"That leaves the systems vulnerable to years' worth of tried and true malware as well as to all of the emerging server vulnerabilities," Olson wrote in a recent blog. He called for the FDA to step up its efforts to address medical device security risks.
Regarding the malware threat, the GAO notes in its report: "Several information security threats exist that can exploit vulnerabilities in active implantable medical devices, but experts caution that efforts to mitigate information security risks may adversely affect device performance."