The Government Accountability Office (GAO) recently issued a report for Congress with a series of recommendations for improving the monitoring of security protocols for implanted medical devices which may be vulnerable to interference that could adversely affect their performance.
Specifically, the GAO report suggests that the Department of Health and Human Services should direct the Food and Drug Administration (FDA) to develop "a more comprehensive plan to assist the agency in enhancing its review and surveillance of medical devices as technology evolves, and that will incorporate the multiple aspects of information security."
In the last two years, several researchers have produced proof of concept exploits which demonstrate vulnerabilities in some implanted medical devices which could lead to device failure resulting in mortality.
Central to the concerns are the increasing number of devices which include a wireless communication functionality which utilizes the Internet to relay data and operational instructions, making the devices susceptible to malware attacks and hacking.
The FDA previously only assessed "unintentional threats" in premarket reviews of two devices now known to have serious vulnerabilities - an implanted cardioverter defibrillator and an insulin pump - but failed to take into consideration risks presented by "intentional threats" to security and performance which "include unauthorized changes of device settings resulting from a lack of appropriate access controls," the GAO report states.
Analysis of the FDA protocols notes the absence of critical control areas the GAO has identified as essential to information security best practices, including "risk management, patch and vulnerability management, technical audit and accountability, and security-incident-response activities."
The GAO report also identifies shortcomings in FDA's postmarket adverse event reporting system which focuses on clinical risks to performance as understood by manufacturers, but does not currently include mechanisms which take in to consideration potential vulnerabilities related to information security issues that may arise after the devices have already been approved for use in the general population.
"Because information security in active implantable medical devices is a relatively new issue, those reporting might not understand the relevance of information security risks," the report contends.
The GAO recommends that the FDA, under the direction of the Secretary of Health and Human Services (HHS), implement the following four actions as a minimum standard for ensuring proper assessment of information security risks in implanted medical devices:
- increase its focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process;
- utilize available resources, including those from other entities, such as other federal agencies;
- leverage its postmarket efforts to identify and investigate information security problems; and
- establish specific milestones for completing this review and implementing these changes
Included in the GAO report, HHS commented that the FDA has now made "efforts to identify and address information security concerns," specifically by "establishing collaborative relationships with DHS, NIST, and the Department of Defense, and is engaging other stakeholders to consider the potential applicability of standards from other sectors, such as industrial control, to medical devices."
HHS also indicated that the FDA is nearing the completion of a “National Postmarket Surveillance Plan designed to enhance national coordination of information sharing for adverse events related to medical devices."