Forbes reports that FDA's current surveillance system tracks such faulty medical devices as pacemakers, insulin pumps, defibrillators, and respiratory technologies. What the system does not do, however, is track such devices as Web-connected sensors and connectivity technologies used in such applications as wireless patient-data storage.
Based on "Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance," a report in the journal PLOS, the Forbes article notes that flaws in medical devices that display data on a screen or transmit information between patients and physicians could be potentially harmful if hackers gain remote control of the software.
While the article notes that no known cases of malicious attacks on medical devices resulting in physical harm have been recorded to date, the federal postmarket surveillance system is unprepared to respond in a timely manner to healthcare-related cybersecurity threats. The threats, however, are real. For example, just last month, Google shut down the Website of medical device manufacturer CareFusion Inc. after discovering that updates streamed to the company’s respiratory products contained Trojan horses and malware. In another instance, it took FDA nine months to process a report of faulty software in an automated external defibrillator, underscoring the potential dangers inherent in FDA's current system.
As excerpted below, the PLOS study, summarizes the issues surrounding FDA's current approach, providing an impetus to improve medical device–related cybersecurity.
"The rapid dissemination of medical devices capable of storing and transmitting patients’ medical information and the theoretical possibility of remotely reprogramming implanted medical devices raise important concerns regarding security, privacy, and safety. Investigators have demonstrated limitations of the security functions for implantable cardioverter-defibrillators (ICDs), for example, by proving the feasibility of communicating with an ICD through an unauthorized radio-based approach that theoretically could interfere with appropriate device therapy. While there are hundreds of confirmed reports of conventional computer viruses infecting medical devices in radiology, cardiac catheterization labs, sleep labs, and other clinical departments, there are no known case reports of malevolent interference that specifically target medical device function. A growing list of confirmed cybersecurity vulnerabilities in medical devices pose challenging risks to patients whose privacy or disease management depends on the proper functioning of devices.
"In the United States, post-market surveillance of medical devices identifies potential risks and connects device malfunction to adverse events in patients. Post-market events may trigger recalls or advisories depending on the nature of the device problem that is identified. These reports may provide important information about safety and effectiveness, and have led to revision of regulatory practices for devices such as ICD leads and automated external defibrillators....
"The rapid proliferation of medical devices, and their growing sophistication, presents Internet-age challenges for multiple stakeholders. Without an understanding of security and privacy, it will be difficult for patients and clinicians to establish confidence in device safety and effectiveness. While this study provides some comfort in the lack of observed security or privacy breaches, the related adverse events or device malfunctions are not served well by the current approach to postmarket surveillance. This conclusion challenges regulators and manufacturers to carefully weigh the premarket evaluation of security and privacy elements of their devices and systems, and to design postmarket systems that enable effective collection of cybersecurity threat indicators for medical devices. While intentional interference may be much less likely to manifest clinically than other types of traditional malfunctions, it is clear that no effective system exists to detect signals of security or privacy problems. This conclusion is confirmed by the sharp contrast of security and privacy problems tabulated by the VA and the security and privacy problems tabulated with FDA databases. To detect a security or privacy problem that could harm patients, a more effective information sharing system for medical device cybersecurity should be established."