The medical device regulating authority in the United States, the FDA, issued special warning on cybersecurity threats related to cardiac implantable devices (ICDs). According to the document placed on the official website, the FDA aims to alert both companies and patients on any risks that arise because of the complexities existing in certain devices, such as cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds). The document was meant to address mainly surgeons, cardiologists, and electrophysiologists who use the devices previously mentioned.
The concerns of the FDA are based on vulnerabilities created by wireless telemetry which is commonly used for establishing communications and exchange with the information between the devices. This technology allows for the possibility to obtain access to the device remotely which can include transmission of information, real-time access to the data collected by the device, and even programming settings. The main issue is that the technology has no encryption, authentication, or authorization. These issues create the possibility of unauthorized access to data and remote control over the devices.
Despite the fact that there have been no actual incidents to date, the FDA warns all parties engaged to use these devices carefully and report any cases of harm to patients caused by these reasons. Moreover, this Safety Communication document includes a list of recommendations for the healthcare providers that operate with related devices. Among others, one of the recommendations is that there should be no technical ability to impact the operations of the device.
The FDA also reminds medical device manufacturers to be aware of possible vulnerabilities related to the wireless communications and apply all reasonable efforts to make the usage of cardiac implantable devices (ICDs) safer for the patients.
It is important to mention that the present Safety Communication is not the first document released by the FDA regarding the issues connected with cybersecurity vulnerabilities. Earlier in October 2018 the regulating authority warned about the threats related to the software update processes provided through VPN connections.
The development of medical devices and new software brings both new opportunities for advancement in the industry as well as complex issues. For this reason alone, updated and detailed regulation of cybersecurity aspects is important to ensure the safety of the patients using not only ICDs, but also all other wireless medical devices.