In a timely note, the March 2016 edition of the Medical Devices Safety Update, put out by the Australian Therapeutic Goods Administration, highlights medical device cyber security as a key issue.
Interestingly, this comes shortly after the release by the FDA of its draft guidance in relation to “Post Market Management of Cyber Security in Medical Devices” – previously featured in the Health Law Pulse .
The TGA update notes that devices incorporating wireless communications are particularly vulnerable to hacking and notes a range of medical devices that use wireless communication including:
- infusion, insulin and implantable drug pumps;
- Implantable cardiac defibrillators and pacemakers;
- neural stimulators; and
- telemetry heart monitors and infant foetal monitors.
The update highlights a number of areas to be considered, focusing not so much on the device at day one in a static environment, but the device in its ongoing operational setting and the measures which need to be in place both in the device and in the surrounding IT infrastructure in order to minimise the cyber security risks.
One issue that is highlighted in the update is that, particularly for network embedded devices, effective protection in respect of cyber security risks is a function both of the inherent protections built into the device as well as the operating environment in which it is implemented. That operating environment is, of course, typically controlled by the customer, not the device supplier.
An issue not addressed in the update, but which is the subject of discussion in the draft guidance from the FDA, is the interesting issue as to when a response to a cyber security threat has a regulatory impact, for example requiring some approval or notification.
Taking lessons from the mainstream software industry, the patching and update of software to counter security threats and vulnerabilities is a virtually daily occurrence. The update doesn’t turn its attention to the issue of whether there is a dividing line or where it might sit, as opposed to the draft guidance from the FDA, which contemplates a category of “cyber security routine updates or patches”, which would not require advance notification or reporting to the FDA.
Nevertheless, the update provides clear evidence that the cyber security threat posed to intelligent and networked medical devices, or devices that are essentially software based, has the attention of regulators. Robustly countering those threats has profound implications for the suppliers of those devices and also for the manner in which they support and interact with their customers in respect of those devices after their initial supply.