FDA Tackling Medical Device SecurityAgency Is Reviewing Reporting Processes
The U.S. Food and Drug Administration is looking for ways to improve how it tracks medical device safety and security issues, such as malware risks.
See Also: Securing the Borderless Enterprise
"We are reviewing all our processes and procedures and will come out with a plan," says Brian Fitzgerald, deputy director of the FDA's division of electrical and software engineering. For example, the FDA is considering whether to toughen requirements related to reporting safety and security issues.
The FDA has taken into account the findings of a recent Government Accountability Office report that recommended the FDA develop a plan to improve post-market surveillance of information security issues in medical devices, he says (see: GAO Spotlights Medical Device Security).
In a recent report, the FDA proposed several ways to improve post-market medical device surveillance for adverse events and safety issues, including malware-related incidents (see: Monitoring Medical Devices: An Update).
Last year, news about an ethical hack of a Medtronic wireless insulin pump via the Internet called attention to the medical device security issue. The Medtronic pump vulnerability was discovered by Barnaby Jack, an ethical hacker who joined security software vendor McAfee after gaining notoriety by finding ways to hack into ATMs used at convenience stores and then force them to produce cash. The manufacturers have since fixed the flaw by updating the software that runs ATMs.
This week at a conference in Australia, Jack reportedly demonstrated how a heart pacemaker can be hacked and programmed to deliver a high voltage shock to a patient.
The FDA requires device manufacturers to report incidents of medical devices affected by malware only if the problem resulted in patient harm or is believed to pose a danger. The agency does not require healthcare providers to report suspected malware or other issues causing safety or security problems in medical devices, Fitzgerald says.
"We rely on the hospitals and institutions that purchase these devices to report incidents" even though that's not required, Fitzgerald acknowledges.
For example, healthcare providers have reported to the FDA incidents where patients with medical devices have claimed they've become dizzy or fainted after walking through the security scanners at retail stores.
In some cases, clinicians provide patients with "loosely coupled" medical devices, such as an insulin pump and a glucometer, that connect wirelessly to each other," he says. "One device will talk with the other, and maybe that works fine on the bench, but doesn't work out well when that patient walks into Kmart. There may be an electromagnetic reaction."
When those kinds of situations are reported to the FDA, "we call the manufacturer and tell them to look into it," he says. "This sort of thing happens all the time; it's how we regulate medical devices. You can't know everything that might happen before the device goes out in the wild."
The FDA also is reaching out to other federal agencies, including the Department of Homeland Security, to coordinate the tracking of security issues, he says. "We never thought we needed to do that. But now we need to track new viruses and malware."
And Fitzgerald participated in a mid-October meeting of the National Institute of Standards and Technology's information security and privacy advisory group to discuss the GAO's recent report,"Medical Devices: FDA Should Expand Its Consideration Of Information Security For Certain Types of Devices."
Advisory group member Kevin Fu, an associate professor of computer science at both the University of Massachusetts Amherst and University of Michigan, says there is "often poor planning" in the life cycle design of software used in medical devices. "Often manufacturers don't provide software patches" to healthcare providers when issues are discovered with the devices, he says.
"Some manufacturers do the right thing, but not all," he says. On the other hand, more healthcare providers need to do a better job of discussing maintenance issues with device manufacturers, says Fu, who moderated the recent NIST advisory group meeting.
Fu cited several reasons for deficiencies in the way medical device safety and security issues are tracked and addressed. "Hospitals often don't report problems to regulators or manufacturers; manufacturers don't issue patches when they know there's a problem; and the regulations are open to interpretation," he says. "There needs to be more meaningful reporting."
Fu recently co-authored a report with experts at Harvard Medical School and Beth Israel Deaconess Medical Center that called for the FDA to take action on post-market surveillance of medical device security issues (see: Medical Device Security Info Lacking.)
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, also urges the FDA to make clearer requirements for manufacturers when it comes to addressing security issues involving medical devices (see: Medical Device Security: A Call to Action).
Any device that has an operating system and uses a computer to assist in delivering any medical treatment or monitoring is susceptible to malware, he contends.