FDA Warning Formalizes Growing Cybersecurity Concerns for Medical Devices

FDA Warning Formalizes Growing Cybersecurity Concerns for Medical Devices

The ground-shaking OPM hack affecting over 20 million Americans and a string of other high-profile hacks in the private sector brought cybersecurity to the public’s attention, but it has become even more intimate of an issue for individuals following the FDA’s first ever medical device warning for IT vulnerabilities. The July 31 FDA warning communicated that an independent researcher and the manufacturer Hospira had found that the company’s Symbiq drug infusion pump could be accessed and controlled by hackers through a hospital’s wireless network. The FDA urges healthcare uses to immediately discontinue use of the Symbiq pump already set to be phased out by the end of 2015. Various investigators have already demonstrated the IT vulnerabilities of sensitive devices such as infusion pumps and implantable devices prior to this first-ever FDA warning; however, the warning also comes after years of heightened recall activity and product issues for infusion pumps.

The critical role of infusion pumps - intravenously administering pharmaceuticals to patients at correct and accurate dosage rates - drew the attention of cybersecurity experts years ago. The hacking demonstration of any insulin infusion pump within a 300 meter radius was demonstrated at a conference in 2011. Researchers also demonstrated the hack of an implantable cardiac defibrillator (ICD) in 2008. More recent meetings of cybersecurity conferences such as Black Hat have spared the healthcare industry from their marquee demonstrations, though the industry remains exceptionally vulnerable to hacking. A major protection against such events has been motivation; the hijacking of distributed operational devices has negligible black market value and malicious intent has yet to surface in healthcare settings. Prior to the Symbiq warning, the FDA had issued only a broad warning to the device industry and hospitals to ensure “appropriate safeguards are in place to reduce the risk of [device] failure due to cyberattack”. The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has been arguably the most active government agency with regards to device security, having issued advisories for specific infusion pumps and implantable devices since 2011.

Frequent recalls in the infusion pump industry may have also prompted the FDA to recently take action with the Hospira Symbiq pump. Reviewed in Kalorama Information’s The World Market for Infusion Pumps, 21 companies were affected by recalls for infusion pumps and related equipment between 2003 and 2013. Beginning in 2009, the FDA reported a noticeable increase in the number and severity of infusion pump recalls. A significant portion of the recalls were attributed to faulty device design. The number of adverse events reported to the FDA and uptick in recalls prompted the agency to establish the Infusion Pump Improvement Initiative in 2010. The FDA also took an increased role in the evaluation of infusion devices, including the development of software.

The threat of device hacking remains problematic as remotely controlled, harmful device operation may go unnoticed amid the high volume of adverse events reported for infusion pumps and implantable devices. Device security figures to become a more important parameter for infusion pump development and purchasing decisions in the wake of the FDA warning. Prior to the warning, software integration with manufactured devices was already identified by regulators as a source of problems in infusion pump operation. While competitive balance in the infusion pump market may be shifted by increased regulatory and purchaser attention to device IT vulnerabilities, significant adverse effects on the market as a whole are not anticipated as results of the recent FDA warning. The infusion pump market has maintained its trajectory of steady growth through several tumultuous years of recalls.

Kalorama Information offers several relevant titles including The World Market for Infusion Pumps, The Global Market for Medical Devices, 6th Ed., Implantable Infusion Pumps: World Market Analysis, and Insulin Infusion Pumps: World Market Analysis.