OIG Recommendations to the FDA for Medical Device Cybersecurity: Foretelling Additional Regulation and Requirements for Controls?

By: Sedgwick Jeanite

With more and more medical devices connected to the Internet of Things (IoT), there is increasing concern over the potential vulnerabilities for cyberattacks against such devices. This vulnerability represents not only greater exposure of manufacturers and healthcare providers employing IoT medical devices, but also insurance carriers who insure against such risks. As a further highlight of this concern, a recent report released by the Office of the Inspector General (OIG) implied that the Food and Drug Administration (FDA) has insufficient controls to respond to cybersecurity problems with medical devices already in the market. The Federal Food, Drug, and Cosmetic Act provides that the FDA’s mission is to ensure that medical devices legally marketed in the United States are safe and effective for their intended uses.

The OIG report may have been prompted by several events occurring over the past two years that involve cybersecurity and medical devices, including:

  • warnings by the FDA and Department of Homeland Security about medical devices and their cybersecurity vulnerabilities;
  • October 2016 warning by Johnson & Johnson about the potential for a hacker to program the company’s Animas OneTouch Ping insulin pump to deliver a fatal dose of hormone;
  • FDA recall in August 2017 of approximately 465,000 pacemakers due to cybersecurity concerns, announcing that patients with the Abbott (formerly St. Jude Medical) radio frequency-enabled implantable pacemaker should update the software to patch a security hole in the device’s older software;
  • FBI’s October 2017 Public Service Announcement, titled “Common Internet of Things Devices May Expose Consumers to Cyber Exploitation,” which included concerns about medical devices such as wireless heart monitors and insulin dispensers; and
  • potential cybersecurity susceptibility associated with the internet connection of Medtronic’s cardiac implantable electrophysiology device programmers.

The OIG Report found that although the FDA had established plans and procedures to address certain medical device problems in the post-market phase, they did not adequately address medical device cybersecurity compromises. For instance, the report stated that the FDA had not sufficiently tested its ability to respond to emergencies resulting from cybersecurity events in medical devices, and that some of its district offices lacked written standards and controls to address recalls of devices susceptible to cyber threats. The OIG recommended that the FDA undertake the following actions:

  • continually assess cybersecurity risks in medical devices and update, as appropriate, its plans and strategies;
  • establish written procedures for securely sharing sensitive information about cybersecurity events with key stakeholders who have a need to know;
  • enter into formal agreements with federal agency partners, including the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, to further the FDA’s mission related to medical device cybersecurity and safety; and
  • develop and implement procedures for handling recalls of medical devices due to cybersecurity vulnerabilities.

Although the FDA agreed with the OIG’s recommendations, noting it had already implemented many of them, it disagreed with the conclusion that it had not assessed medical device cybersecurity at an enterprise or component level, or that its preexisting policies and procedures were insufficient.

The OIG Report reflects a trend followed by other agencies, including the SEC, of an emphasis on continued, ongoing assessment of cyber risks (along with corresponding adaptation of cybersecurity programs), and the development/implementation of written procedures and controls to support such assessments. These changes at the regulator level will filter down to medical device manufacturers, and impact their liability and the liability risks their carriers underwrite. Questions to consider include:

  • How will manufacturers respond to the present-day challenges facing interconnected medical devices?
  • How can manufacturers (or healthcare providers) continuously assess cybersecurity risks posed to medical devices in use?
  • Should regulators adopt policies imposing specific requirements on manufacturers and/or the industry? If so, how will the manufacturers comply with them?
  • How may stakeholders share threat information regarding vulnerabilities and reported breaches to mitigate the effect of cyberattacks?
  • Should the medical device industry take proactive steps to preempt regulatory policies, such as through the development and adoption of consensus standards?

The answers to these questions, in turn, will govern how insurance carriers may assess and insure against risk.

To date, there has not been an official report of a cyberattack specifically exploiting a medical device such as a pacemaker, insulin pump or heart monitor. Should one occur before the OIG’s recommendations filter down, the market may react to speed up the timing for such reform and require medical device manufacturers to undertake changes immediately.

Share via
Copy link
Powered by Social Snap