On February 4, 2016, Senator Barbara Boxer (D-CA) sent a letter to the five largest medical device makers asking them to explain what steps they are taking to address cyber vulnerabilities in their products. The letter was sent to the chief executive officers of Johnson & Johnson, Medtronic, GE Healthcare, Phillips North America, and Siemens USA.
Senator Boxer’s concerns were prompted by the disclosure of cybersecurity vulnerabilities in drug infusion pumps commonly used by hospitals. In early 2015, independent security researchers found vulnerabilities in a specific infusion system could allow unauthorized users to hack into the device through a hospital’s network to control the device, change dosage levels and endanger patients.
While there has been no evidence of nefarious actors exploiting this vulnerability, the U.S. Department of Homeland Security (DHS) and the Food and Drug Administration (FDA) advised hospitals to discontinue using the device. The manufacturer, which had discontinued the system for unrelated reasons, is working with customers to deploy a software update to mitigate the vulnerability and add other cybersecurity protections.
Indeed, FDA has, for several years now, expressed concern about the cybersecurity risks associated with certain marketed medical devices and the potential affect a cyber-attack could have on the delivery of critical treatments to patients. FDA recently noted that a growing number of medical devices are being designed to be networked to facilitate patient care, and that such systems, which incorporate software, may be vulnerable to cybersecurity threats. To address these concerns, FDA published industry guidance in 2014 recommending that medical device developers incorporate cybersecurity management into their design control processes. In addition, recently, on January 22, the FDA released nonbinding draft guidance for managing postmarket cybersecurity vulnerabilities for medical devices. In the draft guidance, FDA encourages manufacturers to adopt and use the National Institute of Standards and Technology (NIST) voluntary framework, assess the vulnerabilities of their products and participate in an Information Sharing and Analysis Organization (ISAO).
It is not clear whether Senator Boxer intends to introduce legislation or launch a congressional investigation into medical device makers but we expect continued scrutiny by both congress and regulators.