Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices.

While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored.

Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data.

Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA) on the steps that are being taken to improve device security and communicate the need for enhanced security to medical device manufacturers.

In a letter to FDA Commissioner Dr. Robert Califf and the Director of the Center for Devices and Radiological Health (CDRH) Dr. Jeffrey Shuren, the congresswomen asked a number of questions about the actions the FDA is currently taking to mitigate cybersecurity risks, protect patients from harm, and educate device manufacturers on cybersecurity risks.

The congresswomen praised the efforts already made by the FDA to ensure device vulnerabilities are addressed and cybersecurity threats mitigated. However, the recent allegations of security vulnerabilities in St. Jude Medical devices and the rise in cyberattacks on healthcare providers have prompted the lawmakers to confirm that the FDA is equipped with the appropriate cybersecurity expertise and resources to ensure that risks to new medical devices are mitigated and threats to aging medical devices are being addressed.

Specifically, the FDA has been asked to clarify:

The steps that are being taken to notify device manufacturers that cybersecurity risk mitigation is a priority.

How the FDA is working with medical device manufacturers and industry stakeholders to help them identify and address potential vulnerabilities in premarket and postmarket contexts.

How the FDA is working with device manufactures to ensure known vulnerabilities are mitigated and how patients and healthcare systems are being informed of any security risks from using medical devices.

How the FDA is working with hospitals and other healthcare providers to help them address vulnerabilities in medical devices and keep devices and networks secure.

How the FDA is helping to ensure risks are mitigated for the entire lifecycle of medical devices, given the constant emergence of new threat vectors.

Confirmation has also been sought on how cybersecurity initiatives are being coordinated with other government agencies such as the Department of Health and Human Services, Federal Bureau of Investigation, Federal Trade Commission, and Department of Homeland Security.

The congresswomen have requested a response by December 16th.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.