FDA Device Alert: A Catalyst for ChangeAttorney Discusses Medical Device Cybersecurity Challenges
The recent alert from the Food and Drug Administration advising healthcare organizations to stop using a line of infusion pumps because of cybersecurity flaws "is a very significant regulatory development," says attorney Anna Spencer, who has represented device makers. That bold action, coupled with the FDA's new security guidance for manufacturers, will lead the companies to be more focused on risk management, she predicts.
The FDA, in an unprecedented move, recently urged hospitals and others to discontinue use of the Symbiq line of infusion pumps from Hospira after independent researchers discovered vulnerabilities in those devices that could allow an unauthorized user to control the device and change the dosage of medication the pump delivers (see FDA: Discontinue Use of Flawed Infusion Pumps).
While the FDA said neither it nor Hospira were aware of any patient adverse events or unauthorized access of the infusion system in a health care setting, the advisory raised eyebrows, Spencer admits.
"Certainly regulatory action like FDA against Hospira ... is a very powerful message to industry," she says.
The action came after the FDA last fall issued guidance "regarding their expectations for medical device makers to include in their pre-market submissions for product approval by the agency information about the planned management of cybersecurity issues in the devices," she says in an interview with Information Security Media Group.
The FDA's action in the Hospira case, and its issuance of guidance, "mean that manufacturers will be [more] focused on cybersecurity risks, and I think that trend will continue," she says.
"Life science companies are becoming more and more attuned to these issues and are adopting best practices and addressing those issues."
In the interview, Spencer also discusses:
- The top privacy and security challenges facing pharmaceutical firms and medical device manufacturers;
- How organizations can improve their breach detection and response programs;
- The significance of a pending proposal from the Department of Health and Human Services' Office for Civil Rights for how breach victims should be offered a share of civil monetary penalties collected by OCR for HIPAA violations.
Spencer is a partner and team leader for health information policy in Sidley Austin LLP's healthcare and privacy, data security and information law practices. She regularly counsels pharmaceutical and medical device manufacturers and healthcare providers on information privacy and security issues and assists them with respect to various health care privacy laws, investigating and responding to data breaches and information security incidents.