Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

If Hackers Can Commandeer a Car, Why not a Medical Device?

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

The latest cybersecurity threat reveals how an insulin pump is vulnerable to hackers.

A few weeks ago, hackers commandeered a car (an experimental hack) and were able to take control of the vehicle, including driving it to its untimely demise. That being said, the doctor wonders how safe hospitals might be from potential hackers, with all the technical marvels the device industry has to offer. Guess what, people? The FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (Dr. D bets you can’t say the name of that government department three-times fast) share those same concerns. While Dr. D was performing his weekly dive into the FDA’s website in search for goodies to write about, one of the more prevalent discussions was centered on an agency safety communication issued last week. The FDA and Homeland Security voiced their concerns pertaining to the potential vulnerabilities of a certain medical device associated with a potential cyber attack. The brusque (look-it-up) statement made by FDA clearly and concisely voiced the agency’s concerns pertaining to cybersecurity. Enjoy!

FDA Safety Communication to Industry – July 31, 2015

Dr. D has taken the liberty of providing the first three paragraphs from the agency’s news release. The culprit associated with this news release is the Hospira Symbiq Infusion System. Unfortunately, this was not the first time this device has been on the FDA’s radar screen.

Many of you might remember that in October 2012, Hospira announced a voluntary Class I recall for the Symbiq Infusion Systems due to some performance issues associated with the instrument’s touchscreen. Within in a few months of this Class I recall (January 2013), the FDA showed up on the doorstep of Hospira’s Lake Forest, IL manufacturing facility for a cup of coffee and an inspection. Twelve Form 483 Observations later and the agency awarded Hospira with one of its prized warning letters (May 2013). Three months after the warning letter, FDA announced a Class II recall of Symbiq (August 2013). In its response to FDA’s warning letter, Hospira stated that the Symbiq pump would be retired.

“The FDA, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and Hospira are aware of cybersecurity vulnerabilities associated with the Symbiq Infusion System. FDA strongly encourages health care facilities transition to alternative infusion systems, and discontinue use of these pumps.

Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies. The FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting.”

Hospira has discontinued the manufacture and distribution of the Symbiq Infusion System, due to unrelated issues, and is working with customers to transition to alternative systems. However, due to recent cybersecurity concerns, the FDA strongly encourages health care facilities to begin transitioning to alternative infusion systems as soon as possible.”

How Can Industry Protect Itself from Hackers

According to John F. Murphy Jr., the FDA’s software compliance expert, “Cyber-security vulnerability exists whenever the software provides the opportunity for unauthorized access to the network or the medical device. Vulnerabilities in cyber-security may represent a risk to the safe and effective operation. Failure to properly address these vulnerabilities could result in an adverse effect on public health.” Additionally, 21 CFR Part 820 (the Quality System Regulation) applies to the development and maintenance of software, when such software is an integral part of a finished medical device. Furthermore, the agency has issued multiple guidance papers on the use of software in medical devices including:

  • General Principles of Software Validation
  • Off-the-Shelf Software Use in Medical Devices
  • Content of Premarket Submissions for Software Contained in Medical Devices

According to Murphy, software changes associated with cybersecurity shall be validated. Validations should be pursued for: (a) all software changes made to address cyber-security vulnerabilities; (b) software changes intended to address cyber-security vulnerabilities, analysis, inspection, and testing should be adequate and clinical validation should not be necessary.”

Takeaways

For this week’s guidance, the doctor will not issue any takeaways, because cybersecurity is clearly not in Dr. D’s wheelhouse of expertise. The best advice Dr. D can offer is that if you are ever hospitalized and your supposed loved ones are inquiring about the IP addresses associated with the medical devices in your room, it is time to find a new healthcare provider, and quickly. The possibility of a hacker accessing medical devices during a procedure or influencing equipment performance located in an intensive or urgent care ward scares the heck out of the doctor. Dr. D can see potential heirs of the rich and famous reading a few books on Hacking 101. In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG, cheers from Dr. D. and best wishes for continued professional success.

References

  1. Code of Federal Regulation. (2014, April) Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system   regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. Enforcement report – recall Z-1847-2013. (August 2013). Accessed August 3, 2015. Retrieved from http://www.accessdata.fda.gov/scripts/enforcement/enforce_rpt-Product-Tabs.cfm?action=select&recall_number=Z-1847-2013&w=08072013&lang=eng
  5. FDA’s enforcement page. (May 2013). Accessed August 3, 2015. Retrieved from
  6. http://www.fda.gov/iceci/enforcementactions/warningletters/2013/ucm352318.htm
  7. Hospira issues a voluntary nationwide recall of symbiq infusion systems due to inaccurate response of the touch screen to user selection/input. (October 2012). Accessed August 3, 2015. Retrieved from http://www.fda.gov/safety/recalls/ucm326131.htm
  8. Symbiq Infusion System by Hospira: FDA safety communication – cybersecurity vulnerabilities. (July 2015). Accessed July 31, 2015. Retrieved from http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm456832.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International

Leave a Reply

Your email address will not be published. Required fields are marked *