Hacking Risks for Medical Devices with Internet Connectivity
[Posted on: Thursday, January 12, 2017] Like any other internet-connected device, medical devices can be hacked, and the hacked device used to harm the individual dependent on it. Imagine someone controlling the pacemaker embedded in your body or the infusion pump giving you life-support. It’s no different from someone pointing a gun to your head, with similar outcome. The possibility no longer just resides in the minds of Hollywood writers but is a really scary concern. FDA has been increasingly worried about cybersecurity of wired and wirelessly connected remote controlled medical devices since 2013 when FDA released the first Guidance document on the topic. Just 2 weeks ago, on the last days of 2016, FDA released the final Guidance document on post-market cybersecurity requirements for medical devices; and this week, we saw the notification of a major concern with a wireless controlled cardiac device. And it is not limited to conventional medical devices. Last year there was report of hackers holding ransom a hospital in Los Angeles and only released the critical patient records after receiving the ransom payment. Electronic medical records are only as secure as the computers they are hosted on. Not only the life-supporting devices but devices such as fitness trackers, health information systems, pharmacy records, and all other connected devices that are increasingly becoming a critical part of healthcare can be hacked into and misused. However, despite these concerns, connected medical devices are here to stay. FDA is supportive of connected medical devices but now require manufacturers to pay special attention to vulnerabilities of their devices to cyber threats, and take appropriate measures to reduce the likelihood of hacking. Manufacturers are required to consider cybersecurity throughout the total product lifecycle of a device. The premarket and post-market cybersecurity Guidance documents provide a roadmap for manufacturers to incorporate testing for proper device performance in the face of cyber threats starting from design and development, to post-market monitoring for new cybersecurity concerns. For developers of medical devices or any other application in the healthcare sector, software validation should include cyber threat analysis and adequate remedial actions. Remote control of medical devices is a relatively new area of regulation. So far, majority of wired or wirelessly controlled medical devices, including those connected via Bluetooth or RF transmitters, belong to the low risk Class I medical devices. Many of such devices are exempt from FDA review and hence likely do not contain robust cybersecurity measures. For Class II and Class III devices, software validation has always included cybersecurity measures if the software communicates via internet or intranet. So for all practical purposes the above doomsday scenario of hackers controlled life-supporting embedded devices is a smaller threat at present. For Class I devices, the risks of harm to users are low or none. Hacking of an internet connected device, both by malicious and non-malicious (AKA, government) hackers, is the reality of the times. No systems are perfect; time and again we are presented with hackers getting into seemingly well-protected private networks and access unauthorized information. But for medical devices, we are at a very early phase. The good news is that by the time connected devices become common; cybersecurity measures will likely be robust to avoid major catastrophic events.
|
|