During the second season of Homeland, terrorists assassinated the Vice President of the U.S. by hacking into the pacemaker controlling his heart. It was shocking and awakened many viewers to the growing issue of cybersecurity for medical devices, which the Food and Drug Administration (FDA) is now addressing.
The FDA just released long-awaited guidelines for how manufacturers of devices need to deal with cybersecurity to protect patients. Acknowledging that no medical device is completely threat proof, the FDA statement emphasized that device makers need to remain vigilant about cybersecurity and protect patients from risks. The federal agency is asking manufacturers to factor in security risks when developing medical devices. In addition, the FDA is now requiring them to provide information on the potential risks and what they have done to mitigate them for patients.
For years, researchers have pointed out the susceptibilities in implanted medical devices, which are now used by millions of people to stay alive, that are connected to the Internet. Cyber-crime and data breaches continually pose threats to computers and databases worldwide, but computers put inside people – which continually increasing – are also subject to threats.
Implanted medical devices have existed for decades, but they have only become virtually accessible in the past few years. The devices, much like medical apps on smart phones, compile and transmit data electronically to doctors or networks.
While the devices allow for doctors to collect important data, most have no encryption or defensive protections in place. In addition, many older ones use older software that is more susceptible to viruses and hacking. Loading equipment with new software or firmware is not a simple proposition. Updates are not done electronically in many devices. Changes require surgery to access the devices embedded in bodies. New batteries also require surgery, and adding more security features could eat up more battery power. While implantable devices are the hardest to access and address, there are other devices that are raising concerns, too.
Many regulators were pushing the FDA to develop guidelines that take security and updating concerns into account when reviewing and approving devices. One example is anesthesia carts. They used to be operated via dials and knobs, with no Internet access. Now, newer ones are controlled wirelessly via iPads that could conceivably be hacked.
Situations, similar to the hacking on Homeland, are what the FDA is trying to address in their guidelines. They are encouraging that future devices use encryption, require secure authentication and are enabled that updates can be pushed without surgery. Much like drug manufacturers take into consideration side effects and interactions with other medications, the FDA wants device makers to evaluate possible problems with and solutions to cybersecurity issues.
The new FDA guidelines are an overdue first step. The agency is holding a workshop in Arlington, VA, later this month on medical devices and cybersecuity. They want organizations and companies to work together on security improvements. The FDA is also working with other federal agencies and manufacturers of devices to make stakeholders aware of vulnerabilities in existing devices.
Cybercrime keeps growing and cybersecurity is a real, not fictionalized for a TV show, threat. It is important that cybersecurity solutions and further guidelines addressing medical devices developed by the FDA address legal protections, equipment guidelines, patient disclosure as well as testing and updating systems in place as well as those yet to be developed.
By Dyanne Weiss