After a series of computer security problems in medical devices, the Food and Drug Administration is taking steps to make sure companies do as much as possible to defend against hacking and other threats.
FDA staff members are examining companies’ preparations for potential computer-hacking threats to devices that millions of Americans depend on, according to an audit report published Tuesday by the Health and Human Services Department’s inspector general office.
“It’s a fairly good story in terms of what FDA is doing on the cybersecurity front. As we dug into their processes further, however, we identified areas where there was room for improvement,” said Abby Amoroso, the San Francisco-based deputy regional inspector general who was team leader for the study.
FDA officials welcomed the report, noting that they were already following most of its guidance and going beyond it in other aspects.
The guidance involves having the FDA make changes to its internal processes to make sure it asks questions about medical device cybersecurity earlier in the device-approval process, and to ensure that such questions are asked uniformly when new device submissions are made.
Many high- and moderate-risk medical devices contain computers that can communicate with the outside world, such as infusion pumps that work with hospital IT networks, and implantable pacemakers that wirelessly communicate with devices at the bedside or in a doctor’s hand.
Such communications are intended to make health care more accurate and safe, but computer hackers have shown that such devices can be hijacked to create problems. Although there’s never been a documented computer attack on a medical device that led to intentional patient harm, “ransomware” attacks have shut down hospital computers and independent researchers say attacks on implanted devices may have gone undetected.
The FDA has been increasing its cyber enforcement in recent years, starting in 2013 with the formation of a “cybersecurity working group” and the publication of rules in 2014 for how the FDA expects manufacturers to develop long-term plans for medical device cybersecurity. FDA guidelines say manufacturers should submit cybersecurity hazard analyses with device applications and include plans for how to issue software updates.
The investigative report from the inspector general’s office examines FDA’s efforts before device approval. A second report, still being written, will examine FDA’s efforts on cybersecurity after devices have been allowed onto the U.S. market.
Though the auditors didn’t identify any medical device that wasn’t allowed onto the market for cybersecurity reasons, FDA officials said they already ask tough questions about computer security.
One FDA employee quoted in the report said that she checks data-encryption and authentication features in diabetes devices that communicate via Bluetooth or Wi-Fi, because those controls could cut down on the risk that an unauthorized person could take control of the device and deliver too much insulin.
In another case, an FDA reviewer found that a company that makes glucose monitors relies on end-users’ antivirus software and firewalls, but that wasn’t reflected in the user manual or the hazard analysis. The unidentified company had to update its hazard analysis to include the missing information before the FDA would accept it, the report says.
The FDA also focuses on known cybersecurity risks in the preapproval stage. One FDA reviewer said the agency “took into account” a widely known password vulnerability when a similar device from the same company was submitted for review.
In another case, when independent computer hackers showed that they could remotely take control of a company’s implanted heart devices to deplete batteries or cause inappropriate shocks, the revelation spurred the FDA to meet with several other device companies that were preparing submissions of similar pacemakers and implantable defibrillators.
“During these presubmission meetings, FDA discussed with each manufacturer the newly discovered vulnerability and inquired what cybersecurity controls their device had,” the inspector general’s report says. The meetings gave the FDA the chance to ask “pointed questions about the cybersecurity risks and controls of their devices, and to discuss information that manufacturers might not have known FDA was interested in.”
The inspectors specifically recommended that FDA reviewers add cybersecurity to their “refuse to accept” checklist, which is a list of items that companies must submit at the beginning of the process just to be considered for potential clearance or approval.
FDA officials said they agree with the recommendation, but it’s more of an efficiency move since it won’t change what information companies have to submit — just the potential timing of it. Including cybersecurity as an item on the checklist could help ensure that the initial submission contains all the necessary elements for digital security up front, instead of making the FDA ask for it later.
The federal inspectors also recommended that FDA include cybersecurity discussions in their meetings with companies planning to submit devices for approval, and to add it to the digital templates used for reviewing lower-risk devices.
The FDA said it has taken those two steps, and is also already working to update its rules for how network-capable devices should be designed at their earliest stages with cybersecurity in mind.
New rules under consideration at FDA could require device-makers to create and distribute a “software bill of materials” that would identify all the software that comes standard on a device. The agency is also considering forming a public-private CyberMed Safety Analysis Board that would assess high-impact cyber problems to be a “go team” to investigate potential and actual device compromises at the FDA’s request.