GAO Report on Potential Information Security Risks for Certain Devices
The Government Accountability Office (“GAO”) recently issued a report titled, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices.” The report was intended to examine how FDA protects active implantable devices against information security risks that could affect their safety and effectiveness. Though the report did not specifically state that its findings should be applied only to PMA devices, GAO evaluated only devices approved through the PMA process.
In the report, GAO: 1) identified the potential security risks associated with active implantable medical devices, 2) determined the extent to which FDA considered potential security threats in its premarket review, and 3) determined what postmarket controls FDA has in place to monitor potential security issues.
While it is important to consider the potential breaches that could affect safety and effectiveness of these devices, it is also important to recognize that the likelihood of such breaches occurring—particularly intentional breaches—may be quite low. GAO itself recognizes this in the report, which states that while “researchers recently demonstrated the potential for incidents resulting from intentional threats in two devices—an implantable cardioverter defibrillator and an insulin pump—no such actual incidents are known to have occurred.”
The review focused on the devices shown by researchers to be vulnerable to security threats—implantable defibrillators and insulin pumps. GAO looked both at FDA’s premarket and postmarket activities related to identification of potential information security risks.
GAO identified eight key information security control areas to consider for medical devices: software testing, verification, and validation; risk assessments; risk management; access control; vulnerability and patch management; technical audit and accountability; security-incident response; and contingency planning. It also looked at key potential unintentional and intentional threats to the active implantable medical devices. The unintentional threats are defective software and firmware and interference caused by electromagnetic signals in the environment.
Key intentional threats include unauthorized access, malware, and denial-of-service attack. Experts interviewed by GAO agreed that unintentional threats, particularly electromagnetic interference, are less concerning than intentional threats, because manufacturers are aware of these potential threats and have addressed them in their submissions.
GAO also looked at the potential security risks for active implantable devices: unauthorized change of device settings; unauthorized change to or disabling of therapies; loss or disclosure of sensitive data; and device malfunction. GAO noted that “there have been no documented information security incidents resulting from the exploitation of vulnerabilities in these types of medical devices by intentional threats in real-world settings.” The possibility for such exploitation is known primarily due to testing in controlled settings, and manufacturers have noted that these demonstrations of possible exploitation “should not overshadow the clinical benefits offered by medical devices.”
GAO found that, in its premarket review of the devices evaluated, FDA considered information security risks from unintentional threats, but not from intentional threats. Specifically, FDA considered risks in the following areas: software testing, verification, and validation; risk assessments; access control; and contingency planning. The report states that FDA did “not demonstrate that it had considered the potential benefits of mitigation strategies to protect devices against information security risks from certain unintentional or intentional threats in light of the appropriate level of acceptable risk for medical devices with known vulnerabilities.”
Of course, since no intentional threats are known to have occurred, and FDA already reviews devices for protection against certain unintentional threats (such as electromagnetic interference), there does not seem to be any evidence to conclude that these devices, as currently manufactured and marketed, present an unacceptable level of risk. Perhaps for this reason, FDA responded to GAO’s inquiries by noting that, during the review process, FDA focuses “on the most relevant risks that could result in harm to patients.” FDA considers these risks to be clinical, rather than information security, risks. FDA did acknowledge, however, that information security risks resulting from intentional threats “could occur.” It will therefore “consider information security risks resulting from intentional threats when reviewing manufacturers’ submissions for new devices.”
GAO also looked at what FDA could do in the postmarket environment to be more cognizant of possible information security threats. FDA stated that, while it could use postmarket surveillance studies to focus on information security risks, it has no intention to do so, since those studies are intended to address clinical issues. GAO also stated that FDA could require manufacturers to include in their PMA annual reports any information related to potential information security risks.
Based on its review, GAO is recommending FDA “develop and implement a more comprehensive plan to assist the agency in enhancing its review and surveillance of medical devices as technology evolves, and that will incorporate the multiple aspects of information security.” GAO recommends the plan include, at a minimum, the following four actions: 1) increase FDA’s “focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process”; 2) “utilize available resources, including those from other entities, such as other federal agencies”; 3) “leverage its postmarket efforts to identify and investigate information security problems”; and 4) “establish specific milestones for completing this review and implementing these changes.”
Given that the risks presented in this report have not yet materialized, and CDRH is in the midst of addressing a variety of issues associated with its review process, the issues discussed in the report may not be high on CDRH’s priority list.