Cyber-attack risk low for medical devices.

Abstract

We concur with D. Clery (“Could your pacemaker be hackable?,” News, special section on The End of Privacy, 30 January, p. [499][1]) that the U.S. Food and Drug Administration (FDA) has focused on reliability, safety, and efficacy for specific medical devices, with no targeted focus on protecting against malicious cyber attacks. Although cybersecurity is a legitimate concern, sensationalized fictional entertainment like the television series “Homeland” may exaggerate the real risks. Health care practitioners, industry, and insurance payers follow regulations from the FDA, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and the Code of Federal Regulations (CFR). Cybersecurity, as part of the FDA's mandate for risk profile assessment ([ 1 ][2], [ 2 ][3]), should receive attention from device manufacturers, given that vulnerabilities could potentially lead to downstream issues with CFR or FDA guidelines ([ 3 ][4]). Despite reports about their potential cybersecurity vulnerability ([ 4 ][5]), medical devices are rarely accessible for hackers to attack. Also, patients and doctors can always disable and overwrite the remote control option. Medical devices requiring occasional Internet access are rarely life-supporting equipment. Patient data is encrypted and transferred through a secured network with redundant securities and risk mitigation strategies ([ 5 ][6]). Cybersecurity is a theoretical issue in interventional devices such as surgical robotics. The robotic da Vinci surgical systems are integrated into U.S. medical practice but are rarely connected to unsecured networks. Nevertheless, vulnerabilities may exist despite FDA clearance, as the “FDA allows devices to be marketed when the probable benefits to patients outweigh the probable risks” ([ 1 ][2]). The FDA assesses the incremental risk-benefit ratio and decides whether a new device is cleared, using the current technology as the standard. Risk profiling and failure modes are identified and defined by the FDA routinely, and tangible cybersecurity risks should perhaps be factored into that assessment, even if the risk is small. 1. [↵][7] FDA, Medical Devices, Cybersecurity ([www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/ucm373213.htm][8]). 2. [↵][9] FDA, “Content of premarket submissions for management of cybersecurity in medical devices,” Federal Register, The Daily Journal of the United States Government (2014); [www.federalregister.gov/articles/2014/10/02/2014-23457/content-of-premarket-submissions-for-management-ofcybersecurity-in-medical-devices-guidance-for][10]. 3. [↵][11] J. Hsu, “Feds probe cybersecurity dangers in medical devices,” IEEE Spectrum (2014); . 4. [↵][12] Industrial Control Systems Cyber Emergency Response Team, “Medical devices hard-coded passwords” (2013); [https://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01][13]. 5. [↵][14] U.S. Department of Health and Human Services, Health Insurance Portability and Accountability Act (HIPAA). Administrative Simplification Statute and Rules (2015); [www.hhs.gov/ocr/privacy/hipaa/administrative/index.html][15]. 6. Disclaimer/Acknowledgments: The views and opinions of authors expressed herein do not necessarily state or reflect those of the U.S. Government nor does it constitute policy, endorsement, or recommendation by the U.S. Government or National Institutes of Health (NIH). Reference U.S. Code of Federal Regulations or U.S. Food and Drug Administration for further information. [1]: /lookup/doi/10.1126/science.347.6221.499 [2]: #ref-1 [3]: #ref-2 [4]: #ref-3 [5]: #ref-4 [6]: #ref-5 [7]: #xref-ref-1-1 View reference 1 in text [8]: http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/ucm373213.htm [9]: #xref-ref-2-1 View reference 2 in text [10]: http://www.federalregister.gov/articles/2014/10/02/2014-23457/content-of-premarket-submissions-for-management-ofcybersecurity-in-medical-devices-guidance-for [11]: #xref-ref-3-1 View reference 3 in text [12]: #xref-ref-4-1 View reference 4 in text [13]: http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01 [14]: #xref-ref-5-1 View reference 5 in text [15]: http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html