The FDA Isn’t Doing Enough to Protect Medical Devices from Hackers, According to HHS Report
According to a report from the US Department of Health and Human Services (HHS), the FDA is not doing as much as it could or should be doing to protect medical devices like pacemakers, defibrillators, and insulin pumps from being hacked. The inspector general’s office has identified cybersecurity of medical devices as one of the top management problems the HHS now faces.
“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” the report states.
The FDA is the government division responsible for the safety of medical devices in the United States, but the report says their policies don’t adequately address the cybersecurity problem, reflecting a failure to assess the situation sufficiently. They do not have standard operating procedures in place to combat the issue, nor have they tested their ability to respond to such emergencies.
Of course, failing to protect these devices from being hacked could be life-threatening for people with pacemakers, insulin pumps, and other medical technology that helps keep them alive. If hackers are able to remotely access these devices, they can modify the programming commands and cause the machines to malfunction.
The report recommended that the FDA update its plans, procedures, and strategies and continue to do so in the future. Having a standard procedure for alerting clinicians and the public to potential problems and recalling vulnerable devices will improve the safety of people who count on medical devices every day.
There is something to be said for the FDA, however. The HHS report noted that “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”
And it isn’t as though the FDA has no plan in place at all. In April, they released their Medical Device Action Plan, which outlined pre- and post-market phases to address cybersecurity threats. The plan included measures to protect against moderate and high risk of hacking and requiring firms to disclose any vulnerabilities they find in their products.
The plan states: “FDA has taken steps to promote a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience that applies throughout the life cycle of relevant devices.”
FDA commissioner Dr. Scott Gottlieb adds that the FDA is not done addressing the issue:
“We want to assure patients and providers that the FDA is working hard to be prepared and responsive when medical device cyber vulnerabilities are identified,” he said in a statement.
So far, there have been no reports of patients being victimized by hacked medical devices.