The FDA issued a safety communication last week advising firmware updates of implantable cardiac pacemakers. Safety communications are quite common. In fact, the FDA has issued ten such communications so far this year, most of them focusing on accuracy errors, potential contaminations, and other operational hazards. What makes the latest communication noteworthy, however, is that it is one of the few to address cybersecurity vulnerabilities.
To understand the significance of the latest FDA safety communication, one only needs to review the trends from the past several years. Dating back to 2011, the FDA has issued a total of 82 safety communications, of which only 4 were due to security concerns. The security-related communication in 2013 was a general warning to healthcare providers of possible attacks to medical devices. The 2015 communication focused on a discontinued IV pump and encouraged providers to phase out the old pump in favor of newer models.
This year’s security-related communications go many steps further. It details the root cause of the problem, the process and approximate duration of the firmware update, possible hazards to monitor, and specific recommendations for providers as well as patients. I commend the FDA for starting to focus their attention on cybersecurity vulnerabilities. But of equal significance, the amount of details and guidance provided in the latest communication shows vast improvement from times past. This level of focus and guidance is sorely needed in the industry.
So how much safer are we with the latest efforts by the FDA? While certainly a step in the right direction, there are millions of medical devices in use today based on legacy and often vulnerable OS and applications. It is unrealistic and impractical to rely on the FDA and device manufacturers alone to identify and provide workaround for all vulnerable devices. The responsibility continues to fall on healthcare providers to complement their medical device deployments with the necessary security solution to thwart the latest ransomware, wiperware, and other modern attacks.