Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Dario Lirio
Modernization is critical to enhance patient experience and boost clinical trial productivity
Alexander Khomich
Healthcare software opens up opportunities for clinics in both management and patient care
Gary Shorter
Pharma needs to adapt and evolve with the changing environment of life science data
Etienne Nichols
Quality management system regulation explained
NIST
The short answer: Standard weights, rigorous procedures, and state inspectors ensure measurements are fair and accurate

More Features

FDA Compliance News
First trial module of learning tool focuses on ISO 9001 and is available now
Free education source for global medical device community
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals

More News

Russ King

FDA Compliance

Cybersecurity—A Real Threat to Medical Devices

Safeguards must be implemented to protect patients

Published: Monday, August 24, 2015 - 12:36

The FDA just issued a Safety Communication on the cybersecurity vulnerabilities of the Hospira Symbiq Infusion System, which is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals or other acute and non-acute health care facilities such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.

Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers, potentially harming the patient. Although it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling it, cybersecurity is still a real concern. Now that more and more devices are connecting remotely to healthcare networks, it will be critical for manufacturers to implement appropriate safeguards.

In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.  An attack could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

As medical devices rely more heavily on networked communication, cybersecurity is going to become an even greater concern. The FDA has already become aware of the following breaches:
• Network-connected/configured medical devices infected or disabled by malware
• The presence of malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices
• Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel)
• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection

As a medical device manufacturer, it’s important for you to remember that it’s your responsibility to identify risks associated with your devices. The FDA expects you to take appropriate actions to limit opportunities for unauthorized access to the device. If you need assistance implementing safeguards for your devices, we can help you determine how to reduce product risk.

First published Aug. 11, 2015, on the AssurX blog.

Discuss

About The Author

Russ King’s picture

Russ King

Russ King is president of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.