FDA isn’t doing enough to prevent medical device hacking, HHS report says
The US Food and Drug Administration is not doing enough to prevent medical devices such as pacemakers and insulin pumps from being hacked, a report from the US Department of Health and Human Services’ Office of the Inspector General said Thursday.
“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” the report says.
The report came after the inspector general’s office identified cybersecurity in medical devices as one of the top management problems for Health and Human Services. The FDA is the division responsible for the safety of these devices.
The report says policies did not adequately address medical device cybersecurity problems, the FDA had not sufficiently tested its ability to respond to emergencies, and it did not have written standard operating procedures.
According to the report, the FDA had not adequately assessed the risk that cybersecurity in medical devices can pose, which is what led to these weaknesses.
“We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” the report notes. However, “existing policies and procedures did not include effective practices for responding to those events.”
The report recommended that the FDA continually assess and update its plans and strategies on medical device cybersecurity risks, establish written procedures and practices to share information about cybersecurity events with key stakeholders such as clinicians, ensure that a procedure for the recall of vulnerable devices is established and maintained, and make agreements with federal partners to further the cybersecurity mission.
In April, the FDA put out a Medical Device Action Plan that outlined its plans to protect the safety of medical devices.
“FDA has taken steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices,” the plan said.
It details both pre- and postmarket phases to address the risk of cybersecurity threats. The premarket stage is during product design and development; postmarket comes once it is available for use.
The plans included updating premarket guidance to better protect against both moderate and high risks. For postmarket plans, they are considering new requirements that firms adopt policies and procedures, meaning they must disclose vulnerabilities when they are identified.
FDA Commissioner Dr. Scott Gottlieb detailed the risks of cybersecurity attacks on medical devices and the problems and anxieties these can bring in patients in a statement in October.
“We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified,” he said.
In 2017, the FDA reported on vulnerabilities in St. Jude Medical’s Implantable Cardiac Devices, including pacemakers and defibrillators, and the accompanying St. Jude Medical’s Merlin@home Transmitters.
The announcement said that if these vulnerabilities were exploited, the devices could be remotely accessed and the programming commands modified.
St. Jude created a software patch that reduced the risk of vulnerabilities.
The safety announcement noted that “there have been no reports of patient harm related to these cybersecurity vulnerabilities.”