The Internet of Things (IoT) isn’t limited to your connected coffeepot, doorbell or home assistant.
If you or someone you know has a modern, implanted pacemaker, defibrillator or monitoring device – time to check the make and model. The FDA has issued a Safety Communication Alert for two models of cardiac implantable electrophysiology devices (CIEDs).
The vulnerability impacts routine scenarios, including downloading patient information or health data, changing the settings on the device to provide optimal care and updating firmware to fix bugs. Although the new alert centers on specific cardiac devices, vulnerabilities also have been recently identified and addressed in other medical devices, including insulin pumps. The problem is so significant that a Medical Device Hacking Lab was set up at the prominent Def Con hacking conference in 2018 to promote education and exploration.
The potential for cyberattacks highlights the safety risks that can arise when unauthorized users interfere with the intended functionality of the device (a quality issue). In response, the FDA has started employing the services of “white hat” hackers, who previously contributed findings on an informal and ad hoc basis:
“Medical device makers have pushed back against ethical hackers who have exposed vulnerabilities in their products, and the FDA has typically tried to stay neutral in the debate. But now agency officials say they’re embracing the ‘white hat’ hacking community - and are stepping up efforts to collaborate.” - Derek Hawkins, Washington Post, 10/17/2018
This is the 14th medical device safety alert issued in 2018 by the FDA, and the second that is related to a cybersecurity risk. In 2017 as well, two out of a total of 14 alerts were issued relating to cybersecurity of the medical device. As more doctors and patients benefit from the convenience of devices that can be updated remotely via the internet, the need for solid quality management systems will continue to increase, to mitigate these potential safety risks.
FDA. (2018, October 11). Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers: FDA Safety Communication. Available from https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm623184.htm
Hawkins, D. (2018, October 17). The Cybersecurity 202: The FDA is embracing ethical hackers in its push to secure medical devices. Washington Post. Available from https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/?utm_term=.ce7d0a7b92e0
Williams, P. A., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices (Auckland, NZ), 8, 305. Available from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/
About the Author: Nicole Radziwill
Nicole Radziwill is the Quality Practice Lead at Intelex Technologies. Before Intelex, she was an Associate Professor of Data Science and Production Systems, Assistant Director (VP) End-to-End Operations at the National Radio Astronomy Observatory (NRAO), and manager and consultant for several other organizations since the late 1990's bringing quality management to technologically-oriented operations. She is a Fellow of the American Society for Quality (ASQ) with a Ph.D. in Quality Systems from Indiana State University. Nicole serves as Editor of Software Quality Professional (SQP) journal and is a former Chair of the ASQ Software Division. She is an ASQ Certified Manager of Quality and Organizational Excellence (CMQ/OE) and Certified Six Sigma Black Belt (CSSBB).
This material provided by the Intelex Community and EHSQ Alliance is for informational purposes only. The material may include notification of regulatory activity, regulatory explanation and interpretation, policies and procedures, and best practices and guidelines that are intended to educate and inform you with regard to EHSQ topics of general interest. Opinions are those of the authors, and do not necessarily reflect the opinion of Intelex. The material is intended solely as guidance and you are responsible for any determination of whether the material meets your needs. Furthermore, you are responsible for complying with all relevant and applicable regulations. We are not responsible for any damage or loss, direct or indirect, arising out of or resulting from your selection or use of the materials.