Medical device manufacturers would be wise to take each cybersecurity safety warning and alert posted to the FDA’s website as a cue to beef up cybersecurity planning during the design and validation of their products. Breaches of unsecured protected health information have affected over 42.7 million U.S. citizens thus far in 2023, according to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights.
Malicious actors and security breaches affect perceptions as well as behavior. GlobalData’s Q2 2023 tech sentiment poll reports that 70% of survey participants expect cybersecurity to disrupt the healthcare industry, with 41% expecting a significant disruption.
“Hackers can exploit various entry points, ranging from physical medical devices in and outside of medical facilities to gaining unauthorized access to networks from nearly any connected device, medical or not,” noted Ashley Clarke, medical analyst at GlobalData. “The implications of such attacks can be far-reaching, affecting patient privacy, interrupting healthcare services, and jeopardizing the safety and effectiveness of medical devices.”
In recent cyber devices guidance, the Consolidated Appropriations Act, 2023 (“Omnibus”), the U.S. Food & Drug Administration issued provisions with respect to the cybersecurity of medical devices that require premarket review by the FDA. Medical device manufacturers will now need to submit a plan to monitor, identify and address post-market cybersecurity vulnerabilities when applying for new pre-market authorizations, according to Section 3305 (Ensuring Cybersecurity of Devices) of the Omnibus, which came into effect on March 29 of this year.
Manufacturers and healthcare facilities can manage the risk of unauthorized access by implementing such recommendations and following safety guidance set out by the FDA. The guidance is designed to help ensure patient safety and tackle vulnerabilities in tandem with health care providers and medical device manufacturers such as Medtronic.
A recent notification stemming from the medical technology solutions provider informed the public of a potential issue associated with the Medtronic MiniMed 600 Series Insulin Pump System. This pump system includes components that communicate wirelessly—such as the insulin pump, continuous glucose monitoring (CGM) transmitter, blood glucose meter and CareLink USB device. The issue was that the communication protocol used by the pump system could allow unauthorized access, specifically when the pump was being paired with other system components. Once breached, the pump could deliver too much or too little insulin.
In this event, the FDA stated that it was not aware of any reports related to cybersecurity vulnerability, and Medtronic duly provided instructions on its website on how to address the vulnerability.