FDA to Bolster Cybersecurity of Medical Devices

September 12, 2018

By Joe Carlson

After a series of computer security problems in medical devices, the Food and Drug Administration is taking steps to make sure companies do as much as possible to defend against hacking and other threats.

FDA staff members are examining companies’ preparations for potential computer-hacking threats to devices that millions of Americans depend on, according to an audit report published Tuesday by the Health and Human Services Department’s inspector general office.

“It’s a fairly good story in terms of what FDA is doing on the cybersecurity front. As we dug into their processes further, however, we identified areas where there was room for improvement,” said Abby Amoroso, the San Francisco-based deputy regional inspector general who was team leader for the study.

FDA officials welcomed the report, noting that they were already following most of its guidance and going beyond it in other aspects.

The guidance involves having the FDA make changes to its internal processes to make sure it asks questions about medical device cybersecurity earlier in the device-approval process, and to ensure that such questions are asked uniformly when new device submissions are made.

Many high- and moderate-risk medical devices contain computers that can communicate with the outside world, such as infusion pumps that work with hospital IT networks, and implantable pacemakers that wirelessly communicate with devices at the bedside or in a doctor’s hand.

Such communications are intended to make health care more accurate and safe, but computer hackers have shown that such devices can be hijacked to create problems. Although there’s never been a documented computer attack on a medical device that led to intentional patient harm, “ransomware” attacks have shut down hospital computers and independent researchers say attacks on implanted devices may have gone undetected.

The FDA has been increasing its cyber enforcement in recent years, starting in 2013 with the formation of a “cybersecurity working group” and the publication of rules in 2014 for how the FDA expects manufacturers to develop long-term plans for medical device cybersecurity. FDA guidelines say manufacturers should submit cybersecurity hazard analyses with device applications and include plans for how to issue software updates.

The investigative report from the inspector general’s office examines FDA’s efforts before device approval. A second report, still being written, will examine FDA’s efforts on cybersecurity after devices have been allowed onto the U.S. market.

Though the auditors didn’t identify any medical device that wasn’t allowed onto the market for cybersecurity reasons, FDA officials said they already ask tough questions about computer security.

One FDA employee quoted in the report said that she checks data-encryption and authentication features in diabetes devices that communicate via Bluetooth or Wi-Fi, because those controls could cut down on the risk that an unauthorized person could take control of the device and deliver too much insulin.

In another case, an FDA reviewer found that a company that makes glucose monitors relies on end-users’ antivirus software and firewalls, but that wasn’t reflected in the user manual or the hazard analysis. The unidentified company had to update its hazard analysis to include the missing information before the FDA would accept it, the report says.

The FDA also focuses on known cybersecurity risks in the preapproval stage. One FDA reviewer said the agency “took into account” a widely known password vulnerability when a similar device from the same company was submitted for review.

In another case, when independent computer hackers showed that they could remotely take control of a company’s implanted heart devices to deplete batteries or cause inappropriate shocks, the revelation spurred the FDA to meet with several other device companies that were preparing submissions of similar pacemakers and implantable defibrillators.

“During these presubmission meetings, FDA discussed with each manufacturer the newly discovered vulnerability and inquired what cybersecurity controls their device had,” the inspector general’s report says. The meetings gave the FDA the chance to ask “pointed questions about the cybersecurity risks and controls of their devices, and to discuss information that manufacturers might not have known FDA was interested in.”

The inspectors specifically recommended that FDA reviewers add cybersecurity to their “refuse to accept” checklist, which is a list of items that companies must submit at the beginning of the process just to be considered for potential clearance or approval.

FDA officials said they agree with the recommendation, but it’s more of an efficiency move since it won’t change what information companies have to submit — just the potential timing of it. Including cybersecurity as an item on the checklist could help ensure that the initial submission contains all the necessary elements for digital security up front, instead of making the FDA ask for it later.

The federal inspectors also recommended that FDA include cybersecurity discussions in their meetings with companies planning to submit devices for approval, and to add it to the digital templates used for reviewing lower-risk devices.

The FDA said it has taken those two steps, and is also already working to update its rules for how network-capable devices should be designed at their earliest stages with cybersecurity in mind.

New rules under consideration at FDA could require device-makers to create and distribute a “software bill of materials” that would identify all the software that comes standard on a device. The agency is also considering forming a public-private CyberMed Safety Analysis Board that would assess high-impact cyber problems to be a “go team” to investigate potential and actual device compromises at the FDA’s request.

———

©2018 Star Tribune (Minneapolis)

Distributed by Tribune Content Agency, LLC.

  • TNS
  • Innovation

    SpaceX Gets Approval from NASA to Test Astronaut Capsule in Saturday Launch Innovation
    SpaceX Gets Approval from NASA to Test Astronaut Capsule in Saturday Launch

    ORLANDO, Fla. — The next step in NASA’s plan to return astronauts to space from the U.S. has the green light to proceed. SpaceX’s Crew Dragon astronaut capsule has been given the OK to perform its test flight early Saturday morning... Read More

    Drone Deliveries to Fuel On-demand Services for Food, Basic Goods and Organs Innovation
    Drone Deliveries to Fuel On-demand Services for Food, Basic Goods and Organs
    February 13, 2019
    by Michael Cheng

    Commercial airline services are great for traveling. Planes are also suitable for transporting large cargo over long distances. But what about time-sensitive and on-demand products, such as food, perishable items and organs? Drone deliveries could be the solution to such challenges. At the moment, transporting fragile... Read More

    Wyden, Blunt Move to Support America’s Craft Beverage Industry Economy
    Wyden, Blunt Move to Support America’s Craft Beverage Industry
    February 8, 2019
    by TWN Staff

    This week, Senate Finance Committee Ranking Member Ron Wyden, D-Ore., and Senator Roy Blunt, R-Mo., introduced legislation to help ensure the continued growth of America’s craft beverage industry. The Craft Beverage Modernization and Tax Reform Act would permanently establish reduced taxes and modernized regulations for brewers,... Read More

    Bipartisan Bill Would Fight Digital Threats from China Congress
    Bipartisan Bill Would Fight Digital Threats from China
    January 19, 2019
    by TWN Staff

    This week, bipartisan legislation was introduced in the House of Representatives to toughen the United States’ position against national security threats posed by technology competitors like China. The bill is sponsored by Representatives Will Hurd (R-TX), C.A. Dutch Ruppersberger (D-MD), Mike Conaway... Read More

    Fighting Food Waste to Feed the Hungry Innovation
    Fighting Food Waste to Feed the Hungry

    It’s 10 minutes after closing time, and kitchen workers are busy cleaning up an empty Greenwich Village restaurant. What remains of the day’s menu has been dropped into tin trays that are stacked and waiting for pickup. Read More

    Meet the Craft Distillers of Native America Featured
    Meet the Craft Distillers of Native America

    One of the last relics of federal prohibition may soon come to an end, after Congress two weeks ago voted to lift a 184-year-old ban that prohibited distilleries on tribal lands. Once signed into law, Native Americans across the country can finally tap into the budding ... Read More

    Straight From The Well
    scroll top