The FDA tur ns its focus to medical device cybersecurity

As technology advances, global healthcare services are becoming increasingly digitised and connected to the internet, which allows for superior integration between services, devices, caregivers, and patients. This connectivity enhances the portability of patient data and enables new avenues of patient-centric care, but also opens up the potential for data theft and malicious device tampering.

On April 17, Abbott Laboratories recalled certain implantable cardioverter defibrillators (ICDs) and cardiac resynchronisation therapy defibrillators (CRT-Ds) in order to issue a corrective firmware patch that eliminates several security flaws, including the life-threatening ability for third parties to access compromised devices and rapidly deplete their batteries or alter their functional outputs. The FDA approved this recall and claims that there are no known reports of patients being harmed due to these cybersecurity flaws (FDA, 2018b).

Medical device vulnerabilities extend well beyond wireless devices. Recently, a research group identified computed tomography (CT) scanners as a primary point of vulnerability in hospitals, and demonstrated that the devices’ operations could be maliciously altered (Mahler et al., 2017). The report authors show that the CT device exploit could lead to radiation overdose or data manipulation.

As is the case with CT scanners, many devices are connected to a computer, or have a computer embedded within them, which opens up a host of vulnerabilities if their operating systems are not up to date. These operating system exploits can be particularly disruptive, as was seen in the 2017 WannaCry ransomware cyberattack.

This attack spread globally and had a profoundly negative impact on National Health Service (NHS) hospitals in the UK, some of which were forced to divert patients. Following WannaCry, NHS Digital assessed 200 trusts and found that all of them were still vulnerable to further attacks, indicating an urgent need for regulatory bodies to fully address the issue of cybersecurity (House of Commons Committee of Public Accounts, 2018).

The FDA recently released a press statement that outlined the agency’s commitment to enhancing medical device safety. In this statement, the FDA emphasised both the importance of managing the total life cycle of devices and the pressing need to create robust resources to defend against cyberattacks (FDA, 2018a). As devices continue to become more complex, integrated, and connected, it is vital that they are secured from cyberattacks across their entire lifecycle to ensure that they remain safe for use.