The benefits of internet-connected medical devices are numerous and, in many ways, just getting started. Patients and their physicians are already able to monitor and manage chronic diseases with more accuracy and consistency than ever before. But for all their benefits, they come with serious risks, especially when it comes to security. Potential hackers could gain access to highly sensitive personal information. In cases where the device is connected to a hospital system, unauthorized access could cause a widespread issue throughout the network.
When devices are life sustaining, a cyberattack can also be life threatening. In 2007 while Vice President Dick Cheney was in office, his cardiologist disabled the Wi-Fi capability of his pacemaker because of such safety concerns. In 2015, students at the University of Alabama were able to hack into a robot that simulates human functions, disabling its pacemaker and demonstrating the potentially deadly consequences of such weaknesses. The concerns are nothing new, but as the sheer number of connected medical devices continues to grow, the need for action becomes more prevalent.
Chris Harvey will be speaking during the Medical Device Recalls Conference | May 14–15, 2018 | Washington, D.C. (or attend virtually) | Learn moreThe FDA issued guidance on the issue in late 2016. While nonbinding, it provides a framework for medical device manufacturers to follow. The guidance includes both premarket and post-market considerations. During the design and development phase, it states that manufacturers should identify and assess threats and vulnerabilities, examine the likelihood that the threat will be exploited, assess the impact of such an attack on patients and determine mitigation strategies.
While stopping cybersecurity threats before they start is ideal, the FDA acknowledges it is not always possible. The guidance says it is “essential” for manufacturers to develop cybersecurity risk management programs that include provisions for complaint handling, quality audits, monitoring of cybersecurity information for new vulnerabilities, corrective and preventive action, software validation and early mitigation of potential risks.
It also encourages manufacturers to collaborate with other stakeholders by participating in Information Sharing Analysis Organizations (ISAOs), saying they are “integral to a successful post-market cybersecurity surveillance program.” While participation is voluntary, the FDA states that it “does not intend to enforce certain reporting requirements of the Federal Food, Drug, and Cosmetic Act (FD&C Act)” for companies that actively participate in such a program and follow other recommendations contained in the guidance. The agency specifies that ISAOs should be inclusive, actionable, transparent and trusted.
While the prospect of a security threat to something as personal as a medical device is alarming to everyone involved, the good news is that when a risk is discovered, it can often be fixed with a software patch or update. In most cases, this solution does not require FDA approval. The guidance states that such actions are considered “device enhancements” rather than recalls. Because of the connected nature of these devices, some software updates can be completed remotely. In other cases, a field force is necessary to visit patients and providers to install updates.
However, there may be cases when a software patch isn’t sufficient to remedy the problem. If the potential risk to the patient is high, the issue may result in a recall—one that requires following each step of the recall lifecycle, from notification to product processing through final close out with the FDA. Indeed, there have already been multiple medical device recalls stemming from cyber vulnerabilities.
Cybersecurity concerns shouldn’t necessarily sideline product development, but companies should always incorporate recall planning and preparation into their innovation. That includes not only creating a written plan, but also testing that plan with mock recalls so that team members can gain experience and companies can fix gaps in their procedures. In the event of a cyber-related issue, these steps will help companies and their partners execute the recall as efficiently as possible.