FDA to bolster cybersecurity of medical devices

After a series of computer security problems in medical devices, the Food and Drug Administration (FDA) is taking steps to make sure companies do as much as possible to defend against hacking and other threats.

Cyber risks abound in health care, as the experiences of some of the big device companies that operate in Minnesota illustrate. Abbott Laboratories has issued updated software for hundreds of thousands of implanted heart devices over cybersecurity risks. Last month security researchers revealed vulnerabilities in Medtronic heart device-programming machines during a hacking conference in Las Vegas.

With those kinds of risks in mind, FDA staff members are closely examining companies' preparations for potential computer-hacking threats to devices that millions of Americans depend on, according to an audit report published Tuesday by the Health and Human Services Department's inspector general office.

"It's a fairly good story in terms of what FDA is doing on the cybersecurity front. As we dug into their processes further, however, we identified areas where there was room for improvement," said Abby Amoroso, the San Francisco-based deputy regional inspector general who served as team leader for the study.

FDA officials welcomed the input, noting that they were already following most of it and going beyond it in other aspects.

The guidance involves having the FDA make changes to its internal processes to make sure it asks questions about medical device cybersecurity earlier in the device-approval process, and to ensure such questions are asked uniformly when new device submissions are made.

Many high- and moderate-risk medical devices contain computers that can talk to the outside world, from infusion pumps that can communicate with a hospital's IT network to implantable pacemakers that wirelessly communicate with devices at the bedside or in a doctor's hand.

The FDA has been ramping up its cyber enforcement in recent years, starting in 2013 with the formation of a "cybersecurity working group" and the publication of rules in 2014 for how the FDA expects manufacturers to develop long-term plans for medical device cybersecurity. FDA guidelines say manufacturers should submit a cybersecurity hazard analysis with device applications and include plans for how to issue future software updates.

The investigative report from the inspector general's office examines FDA's efforts before device approval. A second report, still being written, will examine FDA's efforts on cybersecurity after devices have been allowed onto the U.S. market.

Though the auditors didn't identify any medical device that wasn't allowed onto the market for cybersecurity reasons, FDA officials said they already ask tough questions about computer security.

One FDA employee quoted in the report said that she checks data-encryption and authentication features in diabetes devices that communicate via Bluetooth or Wi-Fi, because those controls could cut down on the risk that an unauthorized person could take control of the device and deliver too much insulin.

In another case, an FDA reviewer found that a company that makes glucose monitors relies on end-users' antivirus software and firewalls, but that wasn't reflected in the user manual or the hazard analysis. The unnamed company had to update its hazard analysis to include the missing information before the FDA would accept it, the report says.

The FDA also focuses on known cybersecurity risks in the preapproval stage. One FDA reviewer said they "took into account" a widely known password vulnerability when a similar device from the same company was submitted for review.

In another case, when independent computer hackers showed that they could remotely take control of a company's implanted heart devices to deplete the battery or cause inappropriate shocks, the revelation spurred the FDA to hold meetings with several other device companies that were preparing submissions of similar pacemakers and implantable defibrillators.

"During these presubmission meetings, FDA discussed with each manufacturer the newly discovered vulnerability and inquired what cybersecurity controls their device had," the inspector general's report says. The meetings gave the FDA the chance to ask "pointed questions about the cybersecurity risks and controls of their devices, and to discuss information that manufacturers might not have known FDA was interested in."

The inspectors specifically recommended that FDA reviewers add cybersecurity to their "refuse to accept" checklist, which is a list of items that companies must submit at the beginning of the process just to be considered for potential clearance or approval.

FDA officials said they agree with the recommendation, but it's more of an efficiency move since it won't change what information companies have to submit — just the potential timing of it. Including cybersecurity as an item on the checklist could help ensure that the initial submission contains all the necessary elements for digital security up front, instead of making the FDA ask for it later.

The FDA said it has taken those two steps, and is also already working to update its rules for how network-capable devices should be designed at their earliest stages with cybersecurity in mind.

New rules under consideration at FDA could require device makers to create and distribute a "software bill of materials" that would identify all of the software that comes standard on a device. The agency is also considering forming a public-private CyberMed Safety Analysis Board that would assess high-impact cyber problems serve as a "go team" to investigate potential and actual device compromises at the FDA's request.

"Like the evolving nature of the devices regulated, and cybersecurity threats faced, the FDA's regulatory approach is not static," an agency spokeswoman wrote in an e-mail.