GAO Calls Out FDA on Medical Device Cyber Security

October 1, 2012

The FDA needs to pay more attention during its approval process to the information security of medical devices to ensure they are not easily hacked, according to the Government Accountability Office (GAO).

According an article from MedPage Today, active implantable medical devices are using newer technologies, such as wireless capabilities, which increase their susceptibility to various information security risks.

In a report released Thursday, the GAO notes that “While FDA has considered some information security risks associated with unintentional threats during its premarket approval review process, such as interference, it has not considered others, such as patch and vulnerability management. Additionally, FDA has not considered information security risks resulting from intentional threats.”

The GAO gave three examples of said “intentional threats” to implantable medical devices, according to the article:

Unauthorized access: for example, a malicious person intercepting and altering signals sent wirelessly to the medical device
Malware: a malicious software program designed to carry out annoying or harmful actions and often masquerading as or embedded in useful programs so that users are induced to activate it
Denial-of-service attack: computer worms or viruses that overwhelm a device by excessive communication attempts, making the device unusable by either slowing or blocking functionality or draining the device’s battery.

Certain features of implantable medical devices can make them more vulnerable to these threats, the report notes, including the continuous use of wireless information transfer, remote access and unencrypted data transfer.

According to MedPage Today, trying to minimize these vulnerabilities could in turn create others. For instance, the report states, making sure that only authorized users have access to a device to reprogram it might mean that an emergency physician wouldn’t be able to make life-saving modifications to a patient’s pacemaker.

In response, the FDA says it intends to put more of an effort into information security issues.

Two FDA initiatives in particular may help: a “Unique Device Identification” system for post-market device surveillance will help the agency analyze adverse event reports more accurately, and a replacement for the FDA’s 15-year-old adverse event report system for devices, known as MAUDE. The new system, the article reports, will include 10 codes for reporting information security problems.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

GAO Calls Out FDA on Medical Device Cyber Security

Related Articles

Related Events

Report Abusive Comment