Lawmakers are urging the Food and Drug Administration to more thoroughly vet certain implantable medical devices for security, not just safety, risks. They include life-saving defibrillators, insulin pumps and pacemakers, which have been shown in recent years to be vulnerable to remote attacks.
Last week three senior members of the U.S. House of Representatives called on the FDA to improve its oversight of implantable wireless medical devices. Their requests were in response to a GAO report that found medical device manufacturers slow to respond to the information security-related threat the vulnerable devices pose.
“Even the human body is vulnerable to attack from computer hackers,” said Rep. Anna G. Eshoo, whose California district includes Silicon Valley, in a prepared statement. “Implantable medical devices have resulted in tremendous medical benefits for the patients who use them, but the demonstrated security risks require a renewed emphasis by the FDA and manufacturers to identify, evaluate and plug the potentially rare but serious security holes that exist in these devices.”
Though the FDA said no incidents have been reported, security researchers recently demonstrated the settings on certain devices – a type of defibrillator and an insulin pump – can be remotely manipulated due to poor access controls. This could allow an attacker to dispense potentially lethal doses from compromised devices.
The GAO report said the FDA looks at unintended threats, such as electromagnetic activity, from a safety standpoint. But it hasn’t done enough to address the security issues related to increasingly complex, embedded devices.
The agency recommends the FDA at a minimum carefully evaluate such threats identified by manufacturers and have strategies in place to mitigate any known vulnerabilities before a device hits the market. A more rigorous review also should leverage resources of other federal agencies, such as NIST.
“Wireless medical devices are susceptible to increasingly advanced hacking techniques that could threaten patient health,” said Massachusetts Rep. Edward J. Markey. “Patients need to be informed about whether the medical devices implanted in their bodies contain security vulnerabilities that could harm them so they can take appropriate precautions whenever possible. This report underscores the need to require manufacturers to acknowledge these threats and for FDA to address the risks before the devices are sold to the public.”