After a series of computer security problems in medical devices, the Food and Drug Administration is taking steps to make sure companies do as much as possible to defend against hacking and other threats.
FDA staff members are examining companies’ preparations for potential computer-hacking threats to devices that millions of Americans depend on, according to an audit report published Tuesday by the Health and Human Services Department’s inspector general office.
“It’s a fairly good story in terms of what FDA is doing on the cybersecurity front. As we dug into their processes further, however, we identified areas where there was room for improvement,” said Abby Amoroso, the San Francisco-based deputy regional inspector general who was team leader for the study.
FDA officials welcomed the report, noting that they were already following most of its guidance and going beyond it in other aspects.
The guidance involves having the FDA make changes to its internal processes to make sure it asks questions about medical device cybersecurity earlier in the device-approval process, and to ensure that such questions are asked uniformly when new device submissions are made.
Many high- and moderate-risk medical devices contain computers that can communicate with the outside world, such as infusion pumps that work with hospital IT networks, and implantable pacemakers that wirelessly communicate with devices at the bedside or in a doctor’s hand.
Such communications are intended to make health care more accurate and safe, but computer hackers have shown that such devices can be hijacked to create problems. Although there’s never been a documented computer attack on a medical device that led to intentional patient harm, “ransomware” attacks have shut down hospital computers and independent researchers say attacks on implanted devices may have gone undetected.
The FDA has been increasing its cyber enforcement in recent years, starting in 2013 with the formation of a “cybersecurity working group” and the publication of rules in 2014 for how the FDA expects manufacturers to develop long-term plans for medical device cybersecurity. FDA guidelines say manufacturers should submit cybersecurity hazard analyses with device applications and include plans for how to issue software updates.
The investigative report from the inspector general’s office examines FDA’s efforts before device approval. A second report, still being written, will examine FDA’s efforts on cybersecurity after devices have been allowed onto the U.S. market.
Though the auditors didn’t identify any medical device that wasn’t allowed onto the market for cybersecurity reasons, FDA officials said they already ask tough questions about computer security.
One FDA employee quoted in the report said that she checks data-encryption and authentication features in diabetes devices that communicate via Bluetooth or Wi-Fi, because those controls could cut down on the risk that an unauthorized person could take control of the device and deliver too much insulin.
In another case, an FDA reviewer found that a company that makes glucose monitors relies on end-users’ antivirus software and firewalls, but that wasn’t reflected in the user manual or the hazard analysis. The unidentified company had to update its hazard analysis to include the missing information before the FDA would accept it, the report says.
The FDA also focuses on known cybersecurity risks in the preapproval stage. One FDA reviewer said the agency “took into account” a widely known password vulnerability when a similar device from the same company was submitted for review.
In another case, when independent computer hackers showed that they could remotely take control of a company’s implanted heart devices to deplete batteries or cause inappropriate shocks, the revelation spurred the FDA to meet with several other device companies that were preparing submissions of similar pacemakers and implantable defibrillators.