The Food and Drug Administration will begin looking at external security vulnerabilities of the software in medical equipment after inquiries from congressional investigators.
A report issued Thursday by the Government Accountability Office (PDF)
found that for wireless medical devices, the FDA “did not consider information security risks from intentional threats as a realistic possibility until recently.”
Agency officials told the authors of the GAO report that they plan to re-examine their evaluations of software used in medical devices and add an assessment of “information security risks.”
“Although researchers have recently demonstrated the potential for incidents resulting from intentional threats in two devices—an implantable cardioverter defibrillator and an insulin pump—no such actual incidents are known to have occurred, according to the FDA,” the report noted.
Among the information security risks posed by vulnerable medical device software are unauthorized changes of their device settings, the GAO report noted.
Both FDA officials and technology experts told the investigators that any effort to mitigate the security vulnerabilities of the device software should be balanced with the potential for adverse effects they could have on devices' performance, including limiting battery life.
The report also criticized the FDA's post-market surveillance efforts, which include an adverse-event reporting system that is supposed to track information security problems with medical devices.
“Because information security in active implantable medical devices is a relatively new issue, those reporting might not understand the relevance of information security risks,” the report said.
In an e-mailed response to questions, Michelle Bolek, an FDA spokeswoman, said her agency shared the GAO's concerns about the security and privacy of medical devices and emphasizes security as a key element in device design.
“To ensure the safety and effectiveness of active implantable medical devices as technology evolves, FDA concurs with GAO that the agency continuously develop and implement new strategies designed to assist the agency in its medical device premarket review and post-market surveillance efforts relative to information security,” she said.