US GAO urges FDA to address digital security risk of medical devices

3 October 2012 (Last Updated October 3rd, 2012 18:30)

The US Government Accountability Office (GAO) has urged the Food and Drug Administration (FDA) to develop a plan to address information security risks for medical devices, including insulin pumps and implantable defibrillators.

GAO

The US Government Accountability Office (GAO) has urged the Food and Drug Administration (FDA) to develop a plan to address information security risks for medical devices, including insulin pumps and implantable defibrillators.

Medical devices using wireless technology allow physicians to remotely access a patient's device and make adjustments as necessary.

But the wireless technology has also opened the doors to hackers to remotely exploit a device by delivering a command to make the device unusable, either by slowing or blocking functionality, or by draining a device's battery, according to a GAO report.

In response to reported cases, GAO analysts want to review the FDA's approach in the premarket application and examine postmarket efforts to identify information security problems involving implantable medical devices.

The GAO said that the FDA has focused more on unintentional threats to implanted medical devices, such as interference from electromagnetic activity of MRI machines.

In response to the GAO's recommendations, the FDA said it will now focus on information security, including risks from intentional threats, when reviewing manufacturers' submissions for new devices.

In addition, the GAO recommended the US Department of Health and Human Services provide guidance to the FDA to increase its focus on information security risks.

The GAO also urged the FDA to use other federal resources, investigate risks through postmarket channels and set milestones for completing a review and implementing changes.


Image: The headquarters of the Government Accountability Office in Washington, US. Photo: Courtesy of Coolcaesar.