FDA issues another reminder about the risks of connected medical devices to hacking

Rebecca Vesely

About Rebecca Vesely

Rebecca Vesely is AHCJ's topic leader on health information technology and a freelance writer. She has written about health, science and medicine for AFP, the Bay Area News Group, Modern Healthcare, Wired, Scientific American online and many other news outlets.

In recent years, as medical devices have become more connected, cybersecurity experts have sounded the alarm on their vulnerabilities.

A panel at Health Journalism 2018 covered the topic, with experts encouraging reporters to ask their local hospitals about plans to safeguard medical devices from cyber threats.

Now, the Food and Drug Administration (FDA) is warning patients and health care providers that certain Medtronic MiniMed insulin pumps are being recalled due to potential cybersecurity risks. To date, there are no confirmed reports of patient harm, the FDA said.

Meanwhile, the FDA will hold a public discussion on medical device cybersecurity on Sept. 10 at its Patient Engagement Advisory Committee meeting.  The committee is expected to make recommendations on what factors to consider when informing the public about cybersecurity risks.

Recommendations will also “address concerns patients have about changes to their devices to reduce cybersecurity risks as well as the role of other stakeholders such as health care providers in communicating cybersecurity risks to patients,“ according to the FDA.

The insulin pumps affected by the recall connect wirelessly to the patient’s glucose meter and a continuous glucose monitoring system, which track’s the patient’s glucose levels throughout the day. The concern is that an unauthorized person could change the insulin pump settings remotely and deliver too much or too little insulin to the patient, causing harm.

Suzanne Schwartz, M.D., deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA’s Center for Devices and Radiological Health, said in a statement that “any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users.”

Schwartz added “at the same time, it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”

1 thought on “FDA issues another reminder about the risks of connected medical devices to hacking

  1. Paul Burke

    Reporters who have cyber experts among their readers may want to note that the FDA notice (which Rebecca links to) says the committee wants comments this month, to consider at the September 10 meeting. “send written submissions to the contact person on or before July 30, 2019.”
    https://federalregister.gov/d/2019-14141

    None of the committee members seems to have cyber expertise, so we can hope they will value expert comments.
    https://www.fda.gov/advisory-committees/patient-engagement-advisory-committee/roster-patient-engagement-advisory-committee

    FDA has pages of guidance on communicating device risks, (pages 7, 13-15, 39), though not yet on cyber specifically.
    https://www.fda.gov/media/71030/download

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.