DeGette, Brooks Seek Details from FDA on Cybersecurity for Medical Devices
House Energy and Commerce Committee members Diana DeGette (D-CO) and Susan Brooks (R-IN) today asked the U.S. Food and Drug Administration for information about how the agency is working to address potential cybersecurity vulnerabilities in medical devices.
In a letter to FDA Commissioner Dr. Robert M. Califf and Director of the Center for Devices and Radiological Health Dr. Jeffrey Shuren, DeGette and Brooks seek details regarding the agency’s plans to further reduce risks of hacking, unauthorized access, or use of malware in medical devices.
The need for effective cybersecurity of medical devices has become more important with the increasing use of wireless, internet- and network-connected devices. Up to 15 million medical devices in circulation, ranging from monitors and infusion pumps to ventilators and radiological technologies, are integrated into the nation’s digitized healthcare network, creating possible avenues for cyber-attacks. As cyber threats continue to evolve at a rapid pace, FDA must work to prevent emerging threats, mitigate existing vulnerabilities, and assess the strength of a device’s cyber resilience in both pre-market and post-market contexts.
“We applaud FDA and other stakeholders for the steps that have already been taken to protect patients against potential emerging threats,” the letter said. “Nevertheless, we have also seen recent headlines about the potential for unauthorized access in insulin pumps and implantable cardiac devices, among others. As technology will undoubtedly continue to evolve at a rapid pace, we must ensure that FDA is equipped with the appropriate cybersecurity expertise and resources to evaluate not only the current risks to new medical devices, but also how new threats affect the medical devices already in use.”
In the letter, DeGette and Brooks pose specific questions to the FDA related to its level of collaboration with medical device manufactures and other stakeholders, efforts to enhance cybersecurity throughout a device’s entire life cycle, personnel expertise on cybersecurity and interagency coordination.
A response from the agency is requested by December 16, 2016.