Dr. Avi Rubin, a computer science professor at Johns Hopkins University spoke during a TED talk to offer awareness for cybersecurity in medical devices. He claimed that all programmed implantable devices must wirelessly communicate to be reprogrammed or subjected to diagnostic testing. Most devices, especially implants, are now required in the medical industry to be wirelessly connected to a network for efficient communication1. Without a complete understanding of trustworthy computing and what it is hackers can do or want, there is unpredictable danger looming. For example, a commercial off-the-shelf ICD or an implantable cardioverter-defibrillator, better known as a pacemaker, was used in an experiment to test the software security by launching different cyber-attacks in an attempt to compromise the device1. Using reverse engineering techniques, the research team was able to create a simple transmitter with the ability to send wireless signals using only commodity equipment and software. The device was successfully compromised in several catastrophic ways like altering therapies such as fibrillation and disabling the device completely, in addition to battery draining, full access to patient personal information, and cardiac data, among many more1. This experiment is a representation of the underlying liabilities medical devices possess as wireless communication becomes the standard in healthcare technology.
The FDA recognizes the insurmountable liabilities of inadequate cybersecurity, which calls for relentless attention in reducing all known cybersecurity risks of different devices. In an effort to identify all known risks posed by a weakness in the software or some exposed factor of a medical device, the FDA implemented what is called “safety communication”2. These are notification messages containing useful information about the vulnerability and recommended actions the patients, providers, and manufacturers can take to mitigate most cybersecurity threats. Using their extensive database of diverse device records, the FDA will provide cybersecurity insight to those marketing similar devices about applicable risks2.
The team at EMMA International has proven experience helping navigate the necessary steps to comply with cybersecurity regulations tailored to different sectors of MedTech. Be sure to give us a call at 248-987-4497 or email us at info@emmainternational.com to learn more about how EMMA International can take the stress out of cybersecurity regulations as it pertains to all things quality and regulatory compliance!
1Dr. Hugh Herr (TED 2011) Security Vulnerabilities, Threats and Attacks in the Real World, Retrieved on 29 June 2021 from: https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked#t-16719
2FDA (2021) Cybersecurity, Retrieved on 29 June 2021 from: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity