FDA’s www.fda.gov Center for Devices and Radiological Health works closely with the Department of Homeland Security (DHS) www.dhs.gov, private sector, medical device manufacturers, healthcare delivery organizations, security researchers, and end users to increase the cyber infrastructure.
A growing number of medical devices are designed to be networked to facilitate patient care. However, networked medical devices like other networked computer systems incorporate software that may be vulnerable to cybersecurity threats.
As medical devices such as hospital networks and smartphones become increasingly interconnected to the Internet, there is an increased risk of attacks and this could greatly affect how a medical device operates.
FDA encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner. Manufacturers have always been encouraged to provide updates and patches, however, providing security for critical safety systems is very complex.
The FDA realizes that Healthcare Delivery Organizations (HDO) are responsible for implementing devices on their networks and may need to patch or change devices or perhaps take additional actions to reduce security risks.
FDA does recognize that if HDOs make changes then a risk assessment is needed. In that case FDA recommends working closely with medical device manufacturers to communicate any changes that are necessary.
The FDA was recently faced with the issue of potential damage that could be done to pacemakers via a cyber-attack. Abbott’s (formerly St. Jude Medical) produces implantable cardiac pacemakers for the market, which includes the Cardiac Resynchronization Therapy Pacemaker (CRT-P).
The pacemakers are implanted under the skin in the upper chest area and connect through insulated wires called leads that go into the heart. A patient many need an implantable cardiac pacemaker if their heart beat is too slow or may need resynchronization to treat heart failure.
To prevent cyber-attacks on the Abbott pacemaker device, FDA reviewed information on hand that concerned potential cybersecurity vulnerabilities. If these attacks took place then possibly an unauthorized user would be able to access a patient’s device using commercially available equipment.
This access could possibly modify programming commands to the implanted pacemaker which could result in patient harm from rapid battery depletion or from the administration of inappropriate pacing
There is a solution. “Firmware” a specific type of software embedded in the hardware of a medical device and a component in the pacemaker is put in place to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for specific Abbott pacemakers. So, last August, FDA approved a “Firmware” update to be used specifically as a corrective action.
After installing the update, any device attempting to communicate with the Abbott implanted pacemaker must provide authorization to do so. Also, beginning last August, all pacemakers manufactured now have to have this update pre-loaded in the device and will not need the update.
Go to www.fda.gov/about/FDACentersOffices/OrganizationCharts/ucm350375.htm for more information on medical devices.