Regulatory Focus™ > News Articles > Government Investigators: FDA Must Assess Medical Devices for Hacking Risks

Government Investigators: FDA Must Assess Medical Devices for Hacking Risks

Posted 28 September 2012 | By Alexander Gaffney, RAC 

Government oversight officials are sounding the alarm over what they say is the potential for US Food and Drug Administration-regulated medical devices to be hacked, saying FDA needs to establish new safeguards to ensure unguarded devices don't exhibit easily exploited vulnerabilities.

The report, "FDA Should Expand Its Consideration of Information Security for Certain Types of Devices," was authored by the Government Accountability Office (GAO), an investigative service of sorts that acts as a watchdog on behalf of Congress, at the request of some congressional Democrats.

GAO said its assessment of the threat potential found several potential weaknesses, including those from unintentional signal interference-something the Federal Communications Commission has recently been grappling with as part of its Medical Body Area Networks (MBAN) proposal to allow for networked devices to share frequencies with one another.

But the report's most serious concerns were reserved for threats GAO said were characterized as, "unauthorized accessing of a device," or hacking.

While conceding the potential for hackers to gain access to devices has thus far remained conceptual, GAO nevertheless said that medical devices exhibit a number of potential vulnerabilities-untested firmware and software, unsecured wireless connectivity and battery life among them-which could affect the safety and effectiveness of medical devices.

This could happen in a number of ways, postulated GAO: limited battery life, remote access vulnerabilities, interruptible wireless signals, unencrypted data transfers, susceptibility to interference, faulty warning mechanisms, reliance on outdated and obsolete technologies and the inability to download security patches.

These, in turn, could lead to hackers tampering with a device's settings, disabling key functions of the device without a user's knowledge, obtaining sensitive data about a patient or causing a complete device malfunction.

The problem for patients, explained GAO, is in how FDA evaluates medical devices. "FDA considered information security risks from unintentional threats, but not risks from intentional threats, during its 2001 and 2006 premarket review of two medical devices that have known vulnerabilities," it noted. FDA, it explained, "Did not consider information security risks from intentional threats as a realistic possibility until recently."

In a statement to GAO, FDA said it plans to reassess how it views information security risks, particularly in its postmarket surveillance efforts, which is the setting in which most device vulnerabilities would be likeliest to emerge.

GAO's report closely mirrors earlier reports issues by the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and groups of academic researchers.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.