FDA Guidance Highlights Medical Device Cybersecurity Issues

By Steve Bates Nov 24, 2014

Health care benefits and security professionals are being urged to monitor cybersecurity issues related to medical devices that are implanted in patients.

Technology now makes it possible for a determined person to tamper with someone’s heart pacemaker or another crucial medical device through an electronic connection such as the Internet. Though no such crime is known to have occurred, the concern is great enough that in October 2014, the U.S. Food and Drug Administration (FDA) released guidance for new medical devices to minimize the possibility of them being compromised in this manner.

The issue gained attention in 2007 when security concerns prompted Vice President Dick Cheney to have the wireless feature of his implanted heart defibrillator disabled. In a 2012 episode of the TV drama “Homeland,” a fictional vice president was murdered through a cyberattack on his pacemaker.

Security experts say that these kinds of cybersecurity issues could increase as hackers get more sophisticated and more patients seek to monitor their health information through smartphones.

“The real risk that somebody’s going to go around manipulating individual patients is very, very low,” said Ken Hoyme, a security expert with Minneapolis-based Adventium Labs and a co-chair of the Association for the Advancement of Medical Instrumentation (AAMI) device security work group. Hoyme said there is little incentive for such an attack.

However, said Chris Petersen, founder and chief technology officer of Boulder, Colo.-based security intelligence firm LogRhythm, “While it seems far-fetched, the technology and wherewithal are here today.”

The FDA guidance urges manufacturers:

  • To limit access to devices by minimizing and strengthening user IDs and passwords.
  • To differentiate access based on the user’s role.
  • To provide physical locks on devices where appropriate.

The guidance is not legally binding and does not impact medical devices and systems already in use.

There are three classes of medical devices regulated by the FDA. Class III, the group with the highest level of risk, includes pacemakers and other implants. These devices will get enhanced FDA scrutiny when manufacturers seek the agency’s approval for them, according to Karen Jackler, a spokeswoman for the FDA’s Center for Devices and Radiological Health.

In a statement, Janet Trunzo, senior executive vice president for the Advanced Medical Technology Association (AdvaMed), said, “We understand the FDA’s desire to be cautious in this area,” and that “manufacturers recognize the need for increased security with these devices.”

Jeff Secunda, a vice president with AdvaMed, told SHRM Online that ensuring security for medical devices “is not a new issue. Manufacturers have been doing this for years as part of their risk assessments.”

He said that “very often there is a balance between usability and security” of medical devices that providers and patients must weigh. Typically, a boost in security comes with an increase in cost, he added. “There is no free lunch.”

As a result of the FDA’s guidance, “Now cybersecurity is considered a foreseeable risk,” said Kevin Fu, an associate professor at the University of Michigan and a co-chair of the AAMI work group.

“The real cost is going to be if the health care community and patients are unwilling to accept new devices because of lack of cybersecurity. I think the FDA guidance is going to bring more consistency and more confidence to the process because of a level playing field,” Fu stated. “I actually think it’s going to save costs in the long run.”

Hoyme said that “the vast majority of cybersecurity problems tend to be accidental effects on medical devices” through broad malware and virus attacks.

Fu added that hackers attacking medical equipment and systems often have purposes other than disabling devices. Some of the biggest attacks have involved “organized crime going after insurance information for fraudulent billing.” Personal health information security is beyond the mandate of the FDA.

The FDA’s Jackler noted that some operating systems used in medical devices are identical to ones used in products produced by other industries.

Said Secunda: “Anybody has the potential for an attack.”

Medical device cybersecurity issues won’t disappear quickly, if ever.

“It will take a long time for the FDA guidance to have any practical effect on health care networks,” said Petersen. “There is a lot of legacy equipment” with lifespans of up to 20 years, he said. Many such devices cannot be retrofitted easily to deter cybersecurity attacks.

“When you develop a product, if you don’t design security in, it is very hard to add it later. It’s like trying to put a new foundation under a house,” said Petersen. He urged employers to question their insurance companies and health care providers about controls on the medical devices they use, which he said will add pressure on device manufacturers to boost security.

Internet and other forms of connectivity represent a major point of concern. “Connectivity is akin to exposure to disease. The more connectivity you have, the more potential risk,” said Hoyme. “Even if you lock everything down, you’re still not going to have perfect security. The goal is actually about risk management and better patient outcomes.”

Steve Bates is a freelance writer based in the Washington, D.C., area and a former writer and editor for SHRM.

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Post a Job


The SHRM Member Discounts program provides member-only access to discounts on products and services you can apply to your life and career, and share with your company.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect