Medical Device Security: Call to ActionPanel Highlights Steps Regulators Should Take
The federal government isn't doing enough to size up the cybersecurity issues involved in using networked medical devices, such as wireless cardiac pacemakers and insulin pumps, a federal advisory panel says. As a result, the panel is calling for numerous steps, including a review of the security of all medical devices before they are approved for sale.
The Information Security and Privacy Advisory Board wrote a letter to several federal agencies spelling out its recommendations (see: Assessing Medical Device Security). "Medical devices do a tremendous amount of good every day for many millions of people," says Daniel Chenok, the board's chair. The government needs to take steps to ensure that cybersecurity concerns don't make consumers think twice about whether a device is safe to use, he stresses.
"The point of the letter is to say we really don't know what this cybersecurity problem looks like," says Chenok, who is vice president for technology strategy at IBM Global Business Services. "What's the size of the issue, and how should the government best tackle it?"
The board's letter points out why it believes action is essential: "Software-controlled medical devices are increasingly ... exposed to cybersecurity risks on the Internet. ... With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels."
Anecdotal Evidence Abounds
Last year, news about an "ethical hack" of a Medtronic wireless insulin pump via the Internet called attention to the medical device security issue. That incident, and other anecdotes, contributed to the board's decision to submit the letter, says board member Kevin Fu, professor of computer science and electrical computer engineering at University of Massachusetts.
The government needs to "collect data and think about the scope of the problem" to help avoid security incidents, Fu says. For example, a hacker potentially could access a wireless insulin pump remotely via the Internet and adjust the dose to a dangerous level.
"Right now ... the data collection is episodic rather than systematic," Chenok says. "We want more empirical rigor around reporting, collection and analysis of medical device cybersecurity incidents and vulnerabilities."
Chenok is hopeful the board's letter serves, over the long haul, as a catalyst for legislation, policy or pilot projects dealing with medical device cybersecurity.
The Medical Device Innovation, Safety and Security Consortium fully endorses the board's recommendations, says founder Dale Nordenberg. The consortium is a public-private partnership that's attempting to identify best practices for medical device safety and security.
In its letter, the advisory board recommends:
- A single federal agency, such as the Food and Drug Administration, which regulates medical devices, should be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices. "Today, there are multiple agencies that address the issue in multiple ways," Fu notes. A cybersecurity assessment should occur whether a device is cleared through a fast-track process or subjected to a rigorous review, Chenok adds. He stresses that the board is not calling for a "new, time-consuming burdensome process," but rather an expansion of existing processes. The letter also suggests that the FDA or another agency should also conduct post-market surveillance of cybersecurity threat indicators.
- The U.S. Computer Emergency Readiness Team should create defined reporting standards for medical device cybersecurity incidents. Such standards are necessary, Fu says, to ensure all government agencies can collect and analyze data the same way. "Coordination is necessary with US-CERT to establish mechanisms that incentivize government, providers and manufacturers to collect cybersecurity threat indicators so that the country is prepared for the inevitable growth in device incident reports," the letter states.
- The FDA should collaborate with the National Institute of Standards and Technology to research security features that could be enabled by default on networked or wireless medical devices in federal settings, such as at the Department of Veterans Affairs and other agencies.
- The federal government should assign a lead entity, such as the Health Resources and Services Administration or the FDA, to establish better training and education to inform users, healthcare organizations and manufacturers about the risks associated with networked and wireless medical devices.
- Further study should be conducted to determine whether additional policy or legislative changes are needed to promote medical device security.
This week, both the House and Senate will consider legislation to reauthorize and modify the federal statute governing medical device oversight. Consumers Union recently issued a statement analyzing those measures. The Senate measure includes a provision calling on regulators to issue a long-delayed rule establishing a unique medical device identifier.
The pending legislation does not reflect any of the board's recommendations, Chenok says. He acknowledges that it could take many months for legislators and regulators to take action on the board's proposals. But he's hopeful the letter will have a "catalytic impact."