FDA’s new cyber security lab tests for “fuzzing” to promote medical device safety
The FDA will reportedly launch a new cyber security laboratory to address security concerns for medical devices. The administration says that it is in the midst of developing new product regulations for medical device manufacturers to guard against hacking attempts. The labs will be used to test medical devices for vulnerabilities to data “bugs” that cause software to crash and disable system functions. The process, called “fuzzing” subjects a piece of software in the device to an influx of unintended input data requests in order to test how the device responds. The results help determine any vulnerabilities and allow manufacturers to fix them before the product is released, thus making products safer for patients and less likely to break down.
The announcement comes in response to several warnings from the National Institute of Standards and Technology (NIST), security researchers and other government agencies about the need for FDA security assessments of medical devices before they are released on the market. Experts say hackers can disrupt medical devices, disable key functions and obtain sensitive and personal data, often by interrupting wireless signals or through remote access vulnerabilities and faulty warning mechanisms. Even more threatening, these attacks can harm, or even kill patients. Researchers conducting security experiments on medical devices have found that cyber attacks can threaten patients’ lives as well. During security tests, scientists discovered that ways to disable devices, such as insulin pumps, and turn them off or dispense fatal doses. These attacks could be performed through a simple scan of a public space that identified vulnerable pumps, all without the patient ever becoming aware of a broken device. The NIST also called for the FDA to implement post-marketing surveillance tools that can track software vulnerabilities once a product is in use. Other groups, including the Medical Device Innovation, Safety & Security Consortium, have launched their own tools and programs to address the increasing cyber security risks in medical devices.
The issue has garnered legal attention as well. Some defense lawyers have already threatened to take manufacturers of faulty devices to open court if changes are not made and say damages from personal injury claims could reach well into the millions of dollars.
Managing security for medical devices can be difficult since the security of each device is largely affected by the overall security of its individual network. Other factors including how long a device has been in use and its networking capabilities can also affect how susceptible it may be to hackers. The FDA also said it will now require manufacturers to submit proof that their devices adhere to certain confidentiality, integrity and accessibility principles. Not all devices will be held to the same standards, however, since certain products are more complex (such as those that keep patients alive) and require much more stringent controls and monitoring. Manufacturers are also advised to consider cyber security during the design phase of new devices in order to prevent future risks. Finally, the agency said manufacturers should document all precautionary measures and considerations made during product development in a cyber security and risk management plan.
Medical technology companies should weigh the impact of a breach of online or wireless security in their risk management review. To address the needs of medical technology companies, insurers are offering blended policy forms addressing Product Liability, Errors and Omissions Liability and Information Security Liability. To learn more, contact WGA’s Life Sciences Practice.
About the Author
Amy Sinclair is an Executive Vice President and co-leader of the Life Sciences Practice in WGA’s Property and Casualty Group. She negotiates, implements and manages comprehensive insurance programs for a variety of clients, ranging from venture-backed start-up organizations up to publicly traded companies.