Assessing Medical Device Security

Panel Calls for Pre-Market Security Reviews
Assessing Medical Device Security

A federal advisory board is calling for the security of medical devices to be assessed before the devices are approved for sale.

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

The Information Security and Privacy Advisory Board is highlighting the issue because a growing list of medical devices, such as pacemakers and insulin pumps, are operated by software connected to the public Internet, often through wireless connections.

Last year, news about an "ethical hack" of a Medtronic insulin pump, which had a wireless transmitter, called attention to the medical device security issue.

"With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels," the board wrote in a letter to the Office of Management and Budget. The letter also was sent to a number of other agencies, including the Department of Health and Human Services and the National Institute of Standards and Technology.

Security Recommendations

In its letter, the advisory board recommends:

  • A single federal agency, such as the Food and Drug Administration, which regulates medical devices, should be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices. An agency should also conduct post-market surveillance of cybersecurity threat indicators.
  • The U.S. Computer Emergency Readiness Team should create defined reporting categories for medical device cybersecurity incidents. "Coordination is necessary with US-CERT to establish mechanisms that incentivize government, providers and manufacturers to collect cybersecurity threat indicators so that the country is prepared for the inevitable growth in device incident reports," the letter states.
  • The FDA should collaborate with NIST to research security features that could be enabled by default on networked or wireless medical devices in federal settings.
  • The federal government should assign a lead entity, such as the Health Resources and Services Administration or FDA, to establish better training and education to inform users, healthcare organizations and manufacturers about the risks associated with networked and wireless medical devices.
  • Further study should be conducted to determine whether additional policy or legislative changes are needed to promote medical device security.

Legislation Proposed

Meanwhile, four U.S. senators recently introduced legislation that would require unique identifiers for implantable medical devices and ongoing monitoring of the devices for safety issues (see: Bill Would Mandate Medical Device IDs).

Last July, the FDA submitted a proposed rule calling for such an identifier to the Office of Management and Budget, which reviews regulations before they go through the final approval process. But OMB has yet to release the rule.

The senators contend that a unique identifier will make it easier to track down devices that are harmful or defective. They note that harmful or defective devices were associated with the death of almost 5,000 Americans in 2009.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network