In late October, the Food and Drug Administration released guidelines for medical device manufacturers to follow in regards to cybersecurity. According to agency spokeswoman Jennifer Rodriguez, the information was provided in an effort to specify what exactly is expected of device manufacturers when it comes to security.
Within the cybersecurity guidance, the FDA suggests that manufacturers incorporate specific controls to combat known cyber risks, as well as take into consideration the risk to patients and the environment within which the device will be used. The agency also asked that manufacturers document the security considerations they’ve taken for the products they submit for approval.
One of the main concerns is the radio interface present within all implanted medical devices that allows doctors to take readings and make necessary adjustments, explained Mike Ahmadi, global director of medical security for Codenomicon. The possibility foroutside interference of medical devices has actually been considered by the government for some time now. In fact, in order to protect against an assassination attempt against Vice President Dick Cheney, the wireless capabilities of his pacemaker were disabled by doctors while he was in office.
“When you put a medical device in a person, it acts like a vital organ,” said Ahmadi in an interview with SFGate. “If you have a pacemaker, it acts like a vital organ. So if you can send it some digital information that causes it to fail, you have to look at that as being like a digital pathogen.”
While there have been no known cases of malicious actors killing someone by tampering with an implanted medical device, according to Ahmadi, there is proof the devices can at the very least be hacked. Three years ago a security researcher was able to hack into his insulin pump simply by using its serial number to prove that it was possible to force the device into delivering a lethal dose of insulin, SFGate reported.
Data security also a major concern
Preventing deaths is an important task for the FDA, but the agency is also deeply concerned about the possibility of hackers being able to steal personal information through implanted devices to commit fraud. Manufacturers will have to show that they have put in safeguards not only protecting against tampering with devices, but also for the safety of the information stored within those products.
While the purpose of the guidance was to instruct manufacturers on how to move forward with embedding cybersecurity into their products, the FDA also indicated that security falls to healthcare facilities and patients as well. The issue will be an evolving one that will need constant monitoring.