FDA Procedures for Medical Device Hacking Are “Deficient”, Inspector General Report Warns

A new government audit suggests that the plans and processes currently in place by federal regulators for responding to the risk of medical device hacking are deficient and inadequate, warning that the lack of sufficient procedures to address post-marketing problems may leave Americans at risk of unauthorized device alterations. 

The U.S. Department of Health And Human Services’ Office of Inspector General (OIG) published a report on the FDA’s medical device cybersecurity procedures this month, indicating that the agency has not adequately tested its ability to respond to medical device hackings, and in some cases did not have any written procedures.

Since 2012, the Department of Homeland Security (DHS) and the FDA have collaborated in an attempt to develop cybersecurity precautions for medical devices. As technological advances in the medical field continue to develop, the FDA has expressed an urgent need to remain vigilant in protecting these devices from hackers.

Prior medical device hacking demonstrations indicate pacemakers and insulin pumps are being manufactured without proper encryption. Demonstrations show hackers can install malicious firmware on a device used by doctors to control patients’ pacemakers, which could give them fill control of the device.

Since 2014, DHS has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

Following recent strides in medical device safety by the FDA, including their newly designed medical device playbook that is intended to prepare healthcare organizations for malicious attacks, the OIG’s new analysis of their emergency preparedness plans has found deficiencies in the processes.

OIG officials warn the FDA has not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices, and in two of the nineteen district offices there were no standard operating procedures to address recalls of medical devices vulnerable to cyber threats.

Per the OIG recommendations, the FDA is being advised to continually asses  cybersecurity risks to medical devices and update its plans and strategies as appropriate. Additionally, the FDA is being advised to establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders.

OIG officials recommend the FDA enter into a formal agreement with the Department of Homeland Security’s Industrial Control System Emergency Response Team, and other federal partners, for assistance in assessing roles and responsibilities.