FDA and Medical Device Manufacturers Refine Cybersecurity Breach Disclosure

A pacemaker, an insulin pump, or one of the ten to fifteen devices connected to a hospital bed could all be vectors for cyber attacks.

Medical device manufacturers are ramping up the connectivity in life-saving devices to enhance patient care. However, the new benefits to diagnosis and monitoring also come with new risks. These devices are all vulnerable to hacking, which could allow bad actors to tamper with battery life, heart rhythm, or automatic insulin dosing.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

In response, the FDA convened its patient engagement advisory committee to examine the risks and determine when device companies should be required to advise patients of a security vulnerability or breach. The challenge arises if notification were required before a fix was put in place. Publicizing a vector for attack could put patients at risk.

In its September 10 meeting, the group focused on the process for determining when a vulnerability should be disclosed to affected parties. Disclosing too early may leave patients at risk, however patches can sometimes take months. Putting proper guidelines in place ensures that manufacturers have something concrete to lean on should the need arise.

The need for these policies is not the stuff of science fiction. In 2017, the FDA issued a recall for 465,000 pacemakers due to security vulnerabilities. In March 2019, Medtronic was the subject of a Department of Homeland Security investigation that determined that some of the company’s pacemakers were vulnerable to unauthorized access. Hackers could adjust the settings and injure a patient were they so inclined.

The FDA continues to look at how devices connect to the internet for important updates. While some automatically apply patches through Bluetooth or WiFi connection, others need to be manually updated by the patient. Still others require a visit to a health practitioner to install the most current firmware.

The introduction of the Internet of Things (IoT) in life-saving medical devices has created a host of additional considerations. Some patients don’t have regular access to an internet-enabled device, live in rural areas, do not speak English fluently, or simply do not have a high level of health literacy. Keeping these individuals apprised of important updates regarding their internet-enabled medical device can be especially challenging.

As medical technology continues to evolve to allow doctors to monitor patient progress remotely and adjust treatment, the FDA, Department of Homeland Security, medical device manufacturers, and physicians will need to continue to weigh the benefits of innovation against the risks. Patients will need to understand the capabilities of the devices keeping them alive and make informed choices about their care.