The U.S. Government Accountability Office (GAO) recently released an August 2012 report urging the Food and Drug Administration (FDA) to expand its consideration of information security for certain medical devices. According to GAO, wireless medical devices are at risk for both unintentional and intentional threats, including those “with the potential to adversely affect operations, assets, or individuals by means to unauthorized access, destruction, disclosure, modification of information, denial of service or a combination of these.” In particular, the report cites research demonstrating the ability to exploit vulnerabilities in implantable cardioverter defibrillators and insulin pumps, raising questions about the need to address such information security loopholes.
To date, FDA has apparently focused on unintentional threats such as electromagnetic interference when conducting premarket reviews of medical devices with known vulnerabilities. “Specifically, FDA considered risks from unintentional threats for four of the eight information security control areas GAO selected for its evaluation—software testing, verification, and validation; risk assessments; access control; and contingency planning,” states the report, which notes that the agency did not view intentional tampering as a realistic issue until recently. “However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information security control areas—risk management, patch and vulnerability management, technical audit and accountability, and security-incident-response activities.”
GAO has thus urged FDA to reassess its approach for evaluating the information security of medical devices, as well as provide post-market opportunities to report vulnerabilities. “For example, the agency’s adverse event reporting system relies upon reports submitted by entities, such as manufacturers, that are more closely related to clinical risks than to information security risks,” concludes the report. “Because information security in active implantable medical devices is a relatively new issue, those reporting might not understand the relevance of information security risks".