Reacting to the findings of a new Government Accountability Office (GAO) report they requested last year, three senior House Democrats today are calling on the Food and Drug Administration (FDA) to improve its oversight of implantable wireless medical devices. In recent demonstrations, computer security experts revealed that some implantable medical devices can be remotely controlled by a hacker, posing potentially serious health risks to patients.
The GAO report, "MEDICAL DEVICES: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices," found that both the FDA and medical device manufacturers have been slow to respond to this emerging threat. "FDA has not considered information security risks resulting from intentional threats," the GAO concluded. More specifically, the agency failed to consider "intentional threats" in the pre-market approval and evaluation of two devices that were successfully hacked, an implantable cardiac defibrillator and insulin pump. The GAO also found that the FDA has not utilized resources available from other government agencies, particularly the National Institute of Standards and Technology (NIST), which maintains a federal computer security vulnerability database and provides guidance and standards related to computer security.
The three lawmakers who requested the review were: Mr. Edward J. Markey, former Chairman of the Telecommunications subcommittee and current senior member of the Energy and Commerce Committee; Ms. Donna F. Edwards, Ranking Member, Subcommittee on Technology and Innovation, Committee on Science, Space and Technology; and Ms. Anna G. Eshoo, Ranking Member, Subcommittee on Communications and Technology, Committee on Energy and Commerce and Co-chair of the House Medical Technology Caucus.
"Wireless medical devices are susceptible to increasingly advanced hacking techniques that could threaten patient health," said Rep. Markey. "Patients need to be informed about whether the medical devices implanted in their bodies contain security vulnerabilities that could harm them so they can take appropriate precautions whenever possible. This report underscores the need to require manufacturers to acknowledge these threats and for FDA to address the risks before the devices are sold to the public."
"It is unacceptable that the Food and Drug Administration is ignoring the resources of other government agencies in evaluating life-saving medical devices," said Rep. Edwards. "In the future, I expect the agency to utilize the computer security expertise offered by NIST and other federal agencies to assess the security risks posed by these devices. The FDA must address potential threats and close security gaps in order to have the full confidence of Congress and the American people."
"Even the human body is vulnerable to attack from computer hackers," said Rep. Eshoo. "Implantable medical devices have resulted in tremendous medical benefits for the patients who use them, but the demonstrated security risks require a renewed emphasis by the FDA and manufacturers to identify, evaluate and plug the potentially rare but serious security holes that exist in these devices."
To address security issues, the GAO recommends in the report that the Secretary of the Department of Health and Human Services direct the Commissioner of the FDA to develop and implement a more comprehensive plan to assist FDA in enhancing its review and surveillance of medical devices that more fully incorporates information security into these devices. The GAO listed four actions by the FDA that should be included in this plan:
1) The FDA should increase its focus on manufacturers' identification of potential unintentional and intentional computer security threats and vulnerabilities and strategies to mitigate these risks during its pre-market approval review process;
2) Utilize available resources, including those from other entities, such as other federal agencies;
3) Leverage its post-market efforts to identify and investigate information security problems; and
4) Establish a specific schedule for completing this review and implementing these changes.