Many medical devices involve embedded computer systems that are vulnerable to cybersecurity breaches – like computer viruses and malware. Of course, for New Jersey consumers this may present privacy concerns, but many people may be less aware that lax cybersecurity standards among the makers of devices can greatly affect patient safety.
Researchers have recently alerted the federal government to the fact that computer viruses can affect the performance of everything from pacemakers, to fetal monitors, to surgical and anesthesia devices. As a result, the Food and Drug Administration has decided to tighten the standards placed on medical device manufacturers and health care facilities in order to protect patients from cybersecurity-related injuries.
While government officials have not yet linked specific patient injuries or deaths to corrupted medical devices, the FDA has said it receives reports of infected and disabled medical devices on a monthly or even weekly basis. Tracking injuries related to cybersecurity issues is difficult because those who report the cases are usually not trained in this area.
Back in 2010 and 2011, a number of hospitals were forced to temporarily close their cardiac catheterization labs because critical medical devices were hindered by viruses. The FDA has also stated that in October, a Boston hospital reported that fetal monitors used on women with high-risk pregnancies were slowed down by computer viruses.
Last week, the Food and Drug Administration released final cybersecurity guidelines for the testing, design and use of wireless medical devices. The guidelines cover wireless medical devices that are worn on the body or implanted, as well as external medical devices that are designed for use in patients’ homes, hospitals, clinics and other medical settings. The guidelines apply to medical device manufacturers, hospitals, health care IT and procurements staff as well as biomedical engineers.
While the FDA guidelines are not yet legally enforceable, the agency has suggested that medical devices that are not protected from malware and cyber attacks may not be approved for use.
The FDA guidelines for device manufacturers include:
- Ensure that data transferred to and from devices is secure.
- Implement fail-proof features that protect critical device functions during security breaches.
- Implement features that allow for the screening and logging of security compromises, as well as defenses against said compromises.
The FDA is currently fielding comments on the guidelines. Many security analysts have said that device manufacturers have the ability to reduce safety threats, but that they have had little incentive to do so. Hopefully, the FDA’s actions will spur these companies to improve device security and respect patient safety.
Source: The Washington Post, “FDA, facing cybersecurity threats, tightens medical-device standards,” Lena H. Sun and Brady Dennis, June 13,2013
Source: PC World, “US FDA calls on medical device makers to focus on cybersecurity,” Grant Gross, June 13, 2013
Source: California HealthCare Foundation, “FDA Guidance Highlights Medical Device Security Concerns,” John Moore, Aug. 5, 2013