As more medical devices are connected to networks and the internet, or feature wireless capabilities, discussions related to the security of these devices are heating up. Not only are there real concerns about the ability of hackers to access protected data via these devices, thus causing major data breaches, there is also a growing concern about the potential for an attack on connected medical devices to cause patient injury.
In fact, concern about the safety of these interoperable medical devices is so great that the FDA has released guidance for device developers and manufacturers related to their cybersecurity.
What Is the Risk?
Just a few years ago, former Vice President Dick Cheney made headlines when he dismantled the wireless capabilities of his pacemaker out of concern that the device could be used as a means of assassination. While some scoffed at the action as an overabundance of concern (or even paranoia), experts noted that the possibility of a connected pacemaker to be hacked is quite real.
In other words, any medical device that is connected to a network, whether implantable or external, could potentially be attacked and used to harm an individual. Just imagine the potential harm that could come when medical devices are intentionally (or even accidentally) infected with malware. A malfunctioning device like a pacemaker could lead to serious injury or even death.
While as of now, there haven’t been any documented cases of such attacks taking place, medical device manufacturers and government agencies are concerned, and working to establish protocols to prevent such attacks. Device manufacturers in particular are concerned, since failing to adequately secure a device could lead to costly litigation on behalf of injured patients.
The FDA Guidelines
In response to the cybersecurity risks, the FDA has drafted guidelines for device manufacturers designed to address cybersecurity concerns during premarket submissions. The guidelines fall into two categories:
1. Identify and protect and
2. Detect, respond and recover
The first category of guidelines focuses on manufacturers’ responsibility to identify and address potential risks before the device is released to the public. Manufacturers must identify and address potential vulnerabilities while still maintaining usability. Most importantly, the manufacturer must be able to explain and justify all its security decisions.
The second category of protocols is designed to address the manufacturer’s response in the event of a cyberattack. The FDA expects devices to have the ability to detect and respond to attacks in real time, and for there to be a plan of action for not only safeguarding the device’s ability to function, but also for informing patients of the attack and providing an action plan, which may include a recall. (For more information on product recalls and when they take place, this personal injury lawyer in San Antonio has an excellent resource.) The overall focus should be on protecting the consumer from serious injury, as well as keeping data safe from unauthorized access.
Nonbinding Guidelines
Currently, the FDA guidelines regarding cybersecurity are non-binding, meaning that device manufacturers are not required to comply with all of them in order to gain approval. That being said, the general assumption is that the guidelines will become the standard in premarket submissions, and manufacturers who fail to comply will not receive FDA approval.
In the event that a device is approved despite not following all the guidelines, the manufacturer is leaving itself open to costly lawsuits should there be a failure, even with a subsequent recall.
What Device Manufacturers Should Do
In the interest of minimizing the cybersecurity risk of a medical device, manufacturers should make cybersecurity a priority at every stage of development, both in the pre-approval and post-market phases. Not only should devices be designed and monitored to prevent breaches, and cybersecurity be a consideration throughout the lifecycle of the device, but there also needs to be guidance for all stakeholders (sales and marketing, physicians, patients, etc.) regarding the risks of a connected device and the potential threats to privacy and safety.
Connected medical devices can improve the overall delivery of healthcare and improve patient outcomes. However, as the threat landscape becomes more sophisticated, so must device manufacturers protections against attacks to prevent serious product liability and privacy litigation.