FDA Tackling Medical Device Security

Agency Is Reviewing Reporting Processes

By , October 18, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
FDA Tackling Medical Device Security

The U.S. Food and Drug Administration is looking for ways to improve how it tracks medical device safety and security issues, such as malware risks.

See Also: Security Alerts: Identifying Noise vs. Signals

"We are reviewing all our processes and procedures and will come out with a plan," says Brian Fitzgerald, deputy director of the FDA's division of electrical and software engineering. For example, the FDA is considering whether to toughen requirements related to reporting safety and security issues.

The FDA has taken into account the findings of a recent Government Accountability Office report that recommended the FDA develop a plan to improve post-market surveillance of information security issues in medical devices, he says (see: GAO Spotlights Medical Device Security).

In a recent report, the FDA proposed several ways to improve post-market medical device surveillance for adverse events and safety issues, including malware-related incidents (see: Monitoring Medical Devices: An Update).

Last year, news about an ethical hack of a Medtronic wireless insulin pump via the Internet called attention to the medical device security issue. The Medtronic pump vulnerability was discovered by Barnaby Jack, an ethical hacker who joined security software vendor McAfee after gaining notoriety by finding ways to hack into ATMs used at convenience stores and then force them to produce cash. The manufacturers have since fixed the flaw by updating the software that runs ATMs.

This week at a conference in Australia, Jack reportedly demonstrated how a heart pacemaker can be hacked and programmed to deliver a high voltage shock to a patient.

Reporting Requirements

The FDA requires device manufacturers to report incidents of medical devices affected by malware only if the problem resulted in patient harm or is believed to pose a danger. The agency does not require healthcare providers to report suspected malware or other issues causing safety or security problems in medical devices, Fitzgerald says.

"We rely on the hospitals and institutions that purchase these devices to report incidents" even though that's not required, Fitzgerald acknowledges.

For example, healthcare providers have reported to the FDA incidents where patients with medical devices have claimed they've become dizzy or fainted after walking through the security scanners at retail stores.

In some cases, clinicians provide patients with "loosely coupled" medical devices, such as an insulin pump and a glucometer, that connect wirelessly to each other," he says. "One device will talk with the other, and maybe that works fine on the bench, but doesn't work out well when that patient walks into Kmart. There may be an electromagnetic reaction."

When those kinds of situations are reported to the FDA, "we call the manufacturer and tell them to look into it," he says. "This sort of thing happens all the time; it's how we regulate medical devices. You can't know everything that might happen before the device goes out in the wild."

Collaborative Efforts

The FDA also is reaching out to other federal agencies, including the Department of Homeland Security, to coordinate the tracking of security issues, he says. "We never thought we needed to do that. But now we need to track new viruses and malware."

And Fitzgerald participated in a mid-October meeting of the National Institute of Standards and Technology's information security and privacy advisory group to discuss the GAO's recent report,"Medical Devices: FDA Should Expand Its Consideration Of Information Security For Certain Types of Devices."

Advisory group member Kevin Fu, an associate professor of computer science at both the University of Massachusetts Amherst and University of Michigan, says there is "often poor planning" in the life cycle design of software used in medical devices. "Often manufacturers don't provide software patches" to healthcare providers when issues are discovered with the devices, he says.

"Some manufacturers do the right thing, but not all," he says. On the other hand, more healthcare providers need to do a better job of discussing maintenance issues with device manufacturers, says Fu, who moderated the recent NIST advisory group meeting.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Spyware Developer Pleads Guilty

The CEO of a Pakistani firm that developed a mobile spyware application called StealthGenie has...

Latest Tweets and Mentions

ARTICLE Spyware Developer Pleads Guilty

The CEO of a Pakistani firm that developed a mobile spyware application called StealthGenie has...