FDA Addresses Cyber-Security Risks in Connected Medical Devices

March 21, 2017 | Privacy, Data & Cyber Law

The “Internet of Things”  has pervaded every facet of our society thereby introducing unanticipated cyber risks into everyday life. Often overlooked and particularly disconcerting are the cyber risks inherent in connected medical devices. Nevertheless, caregivers and patients alike should be aware that any medical device that depends on interactive computer technology may be vulnerable to malicious interference with potentially dangerous consequences.

In one such case, the Food and Drug Administration (FDA) issued an alert to patients, caregivers, cardiologists, electrophysiologists, primary care physicians and others treating patients or using radio-frequency enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter.

See https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm.

The alert explained that many medical devices contain configurable, embedded computer systems that may be vulnerable to cyber-security intrusions and exploits. It further explains, “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could effect how a medical device could operate.” In the case of the system discussed in the alert, the FDA identified the risk that unauthorized access to the cardiac implant system could result in false programming commands, leading to rapid battery depletion and/or administration of inappropriate pacing or shocks. The manufacturer had created a software patch that reduced the risk of cyber intrusion in the system, which would itself be delivered by connecting the system to the Internet as usual. Finally, the FDA conducted a risk assessment and concluded that the health benefits to a patient from continued use of the device outweighed the cyber security risks.

The FDA noted that it takes the continued cyber-security risk of medical devices very seriously. On March 3, 2017, the FDA posted a discussion of the considerations regarding post-market cyber risks and the various steps that the FDA has undertaken in regard to those risks:


This follows the FDA’s Guidance issued December  2016 , after a one-year comment period: https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf. The Guidance primarily focused on post-distribution cyber risks, but emphasized that all stakeholders need to consider cyber security throughout a product’s life cycle. Accordingly, whether you are patient user of a device, a medical provider or facility or device manufacturer or distributor, it is important to keep abreast of the cyber risks of specific devices as well as continue to engage in good “cyber hygiene” so that connected devices, just like the rest of your network, will be less susceptible to intrusion.


Related Publications

Legal updates and news delivered to your inbox