Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jon Speer
As a medical device manufacturer, you can expect to be inspected
Dirk Dusharme @ Quality Digest
Huge amounts of biometric, DNA, and diagnostic data enable personalized medicine. They also enable unscrupulous and discriminatory marketing.
Nicole Radziwill
A cloud-based QMS can help address common international standards and regulations
Kelly Kuchinski
Particularly in regulated industries, you really do want to know what goes into the sausage
Mike Richman
A primer for life science manufacturers

More Features

FDA Compliance News
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live

More News

Russ King

FDA Compliance

Cybersecurity—A Real Threat to Medical Devices

Safeguards must be implemented to protect patients

Published: Monday, August 24, 2015 - 12:36

The FDA just issued a Safety Communication on the cybersecurity vulnerabilities of the Hospira Symbiq Infusion System, which is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals or other acute and non-acute health care facilities such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.

Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers, potentially harming the patient. Although it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling it, cybersecurity is still a real concern. Now that more and more devices are connecting remotely to healthcare networks, it will be critical for manufacturers to implement appropriate safeguards.

In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.  An attack could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

As medical devices rely more heavily on networked communication, cybersecurity is going to become an even greater concern. The FDA has already become aware of the following breaches:
• Network-connected/configured medical devices infected or disabled by malware
• The presence of malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices
• Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel)
• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection

As a medical device manufacturer, it’s important for you to remember that it’s your responsibility to identify risks associated with your devices. The FDA expects you to take appropriate actions to limit opportunities for unauthorized access to the device. If you need assistance implementing safeguards for your devices, we can help you determine how to reduce product risk.

First published Aug. 11, 2015, on the AssurX blog.

Discuss

About The Author

Russ King’s picture

Russ King

Russ King is president of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.