FDA approach to medical device security is a step backward
The FBI agents on the CBS show CSI: Cybersecurity stop a hacker bent on infiltrating the data center where wearable Insulin pumps in the treatment of diabetes are controlled. A hacker penetrates an implanted pacemaker to stop the vice-president’s heart on Showtime’s Homeland. When Hollywood uses lax information security safeguards to carry a storyline, people stand-up and take notice.
IT security and privacy professionals have long held concerns about adequate safeguards for cybersecurity threats or lack of technical controls affecting the information security of medical devices, mobile medical applications and other technology that monitor or measure the human condition. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. This vulnerability increases as medical devices are increasingly connected to the Internet, hospital networks, and to other medical devices.
Providers that have attempted to address these issues have been frustrated by manufacturers, vendors and developers of medical devices who say that Food and Drug Administration (FDA) regulations prevent them from modifying or patching software or applications against newly found bugs or vulnerabilities, as the device has already been approved for sale by the agency. They have also warned-off providers from taking steps on their own to modify FDA-approved devices. Congress mandated that the FDA has nearly sole authority to develop a regulatory scheme for the approval and sale of medical devices. But some critics say the agency has been tone deaf to a rising call for action to provide standards for assuring the security of medical devices against unauthorized access or control.
The FDA issued “cybersecurity guidance” in October 2014 outlining recommendations that manufacturers should consider in order to protect patient information that may be stored on medical devices or transferred between wireless systems. The agency defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”
FDA guidance adopted a standard that for all new applications for pre-market approval of new medical devices they would consider cybersecurity risks just like any other risk in their decision to approve a device. For medical devices already approved for sale by the FDA and in the marketplace, the agency recommended that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cybersecurity threats, which could be caused by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. The guidance, however, did not provide a formula to mitigate and manage cybersecurity threats, nor did the agency require manufactures to take action to reduce the cybersecurity risk in FDA approved medical devices.
Next, the FDA took action in February 2015 to finalize guidance in which it would remove requirements for agency review and approval of so called “medical device data systems” (MDDS), medical image storage devices, and medical image communications devices that created, transmitted or stored patient information because it classified them as posing a low risk of harm to patient safety. In its policy guidance on MDDS, FDA states that it does not intend to enforce compliance with the regulatory controls applicable to these devices, so long as the devices meet the relevant definitions in the FDA regulations. This allows the manufacturers of these devices to avoid FDA registration and listing, pre-market review, post-market reporting, and quality system regulation. FDA also states that it will not enforce compliance with pre-market notification for those MDDS, medical image storage devices, and medical image communications devices that otherwise would require pre-market notification.
However, in choosing to use its enforcement discretion to not apply its standards against these technologies, the operation of FDA’s exclusive jurisdiction on the regulation of medical devices could have the effect of preempting the adoption of any government standards action to safeguard against risks to the information security to data handled by the technology falling within the classification of MDDS, medical image storage devices, and medical image communications devices.
FDA explained that using its discretion to not enforce its authority over these medical devices was based on the assumption of the low risk these devices and systems pose to patient health and a reluctance to “stifle innovation and development” of digital health care technologies. Under the FDA regulations, an MDDS device provides for the electronic transfer or storage of medical device data, the electronic conversion of medical device data from one format to another, or the electronic display of device data. A medical image storage device is a device that provides for the electronic storage and electronic retrieval of medical images, while a medical image communications device provides for the electronic transfer of medical image information between medical devices.
Also in February 2015, the FDA issued guidance on mobile apps. According to the FDA many mobile apps do not trigger FDA's definition of a device and are not regulated by FDA. Others fall within the definition of a device, but, similar to its MDDS guidance, FDA explains that it is choosing not to enforce its regulatory requirements over such devices. The FDA guided that it does intend to enforce its requirements over a third category of mobile apps: those that meet the definition of a device and are intended to either be used as an accessory to a regulated medical device, or are intended to transform a mobile platform (such as a smart phone or tablet) into a device. FDA calls these devices "mobile medical apps".
The FDA guidance contains three appendices, providing multiple examples of the apps that are within the scope of FDA's enforcement, those outside, and those for which FDA chooses not to exercise its authority. The first appendix lists examples of mobile apps that do not meet the definition of a device, while the second provides examples of mobile apps that may meet the definition of a device but are classified within the category of MDDS over which FDA chooses not to enforce its requirements because of what it views as a low risk to patients. Finally, the third appendix contains examples of mobile apps that FDA deems to be mobile medical apps.
Clearly, the FDA continues to consider and recognize the importance of cybersecurity issues related to medical devices, and finalizing these types of guidance marks a milestone in determining the boundaries where medical device manufacturers and vendors must tread. However, the choices FDA made to not enforce its sole, preemptive authority to require cybersecurity and information security safeguards on classes of networkable devices that are in wide use and activating protective standards to apply only to new devices requiring pre-market approval leaves the health care sector as a whole, and individual health care providers, as well as each of us as patients, at risk. FDA has left the job undone.
Healthcare information security and privacy advocates should once more call for more robust regulatory oversight of medical devices to ensure that cybersecurity risks are minimized to the greatest extent possible.