GAO: FDA process overlooks information security risks for ICDs
The FDA’s premarket approval process for implantable cardioverter-defibrillators (ICDs) addresses potential clinical risks but not information security risks, according to a report by the Government Accountability Office (GAO). The report recommended that the regulatory agency incorporate several pre- and post-marketing strategies to ensure the safety and effectiveness of implantable medical devices.

In 2008, researchers demonstrated that they could remotely exploit a defibrillator by delivering a command through the associated wand and programmer. A separate demonstration showed similar vulnerabilities in implantable insulin pumps.

Using those two cases, GAO analysts set out to identify information security-related threats and vulnerabilities; review the FDA’s approach in their premarket application (PMA); and examine postmarket efforts for identifying information security problems involving implantable medical devices. They also reviewed additional documentation for another defibrillator reviewed by FDA in 2012 to assess current practices.

“Information security risks resulting from the exploitation of vulnerabilities by threats could adversely affect the safety and effectiveness of active implantable medical devices,” the authors wrote. “As technology evolves and medical devices become more complex in design and functionality, the potential for these risks occurring is also likely to increase.”

The GAO’s evaluation found evidence that the FDA reviewed software testing, verification and validation for the wand. In a response to the agency, the FDA also reported it reviewed software testing in the original submission for the defibrillator. But the evaluators wrote that the FDA did not provide evidence of reviewing security-specific components such as code protection and security functionality verification.

Nor did the FDA provide evidence of a review of ongoing risk management for the defibrillator, wand and programmer as well as limited evidence of evaluation of access restrictions and unauthorized wireless access. The agency also failed to show that the manufacturer demonstrated it had a process for identifying and addressing newly discovered vulnerabilities.

The authors noted that examples from 2012 showed that the agency had stepped up its consideration of information security during PMA review for software testing, verification, and validation; risk assessments; access control, and contingency planning.

“For example, FDA conducted a more comprehensive review of the manufacturer’s software verification and validation documentation, and included software-testing documentation, electromagnetic-compatibility testing, electromagnetic-interference testing and frequency testing,” they wrote. “FDA also provided evidence of its consideration of a fifth information security control area—risk management—in this newer PMA application. However, FDA did not provide any evidence showing its consideration of security-specific tests.”

The GAO report said that the FDA was aware of its limitations. FDA officials told the GAO evaluators that with PMAs they looked at risk that could result in harm to patients as well as the intended use of the device and the type of setting in which the device would be used, as determined by the manufacturer.

According to the GAO report, FDA officials said the agency plans to beef up efforts related to information security, including risks from intentional threats, when reviewing manufacturers’ submissions for new devices.

FDA representatives said the agency also plans to review its approach to evaluating software used in medical devices. The project will assess the FDA’s resources and evaluative tools as well as compare the FDA’s process of reviewing software in medical devices to other industries that rely on high-risk, complex software products. Based on the findings, the FDA may identify external resources it can use to evaluate information security risks in medical devices.

The FDA does not plan to require manufacturers to conduct postmarket studies that focus on information security risks, the GAO found. But it may use initiatives designed to improve postmarket identification and analysis of medical device problems to capture information security-related data.

“Although FDA intends to review its evaluation of software used in medical devices, according to the agency’s preliminary planning information, the review does not explicitly mention information security issues such as malware, patching and vulnerability management, or the use of security-related testing techniques,” the GAO authors observed. “Furthermore FDA has not established specific milestones, including when it will implement any changes, for the review.”

The GAO recommended that the U.S. Department of Health and Human Services provide guidance to the FDA to increase its focus on information security risk, use other federal resources, investigate risk through postmarket channels and set milestones for completing its review and implementing changes.