Health Industry Washington Watch
GAO Flags Concerns about Implantable Medical Device Information Security
A recent GAO report warns of information security risks – such as unauthorized changes of device settings resulting from a lack of appropriate access controls -- associated with the growing use of wireless technology in certain active implantable medical devices (e.g., implantable cardioverter defibrillators and insulin pumps). On the other hand, officials and technology experts caution that efforts to mitigate information security risks need to be balanced against potential adverse impact on devices’ performance, including limiting battery life. The GAO also highlights potential gaps in the FDA’s use of its traditional adverse event reporting system to address information security in active implantable medical devices, particularly since reporting entities might not understand the relevance of information security risks. In the report, “Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices,” the GAO recommends that the FDA develop and implement a more comprehensive plan to enhance the agency’s review and surveillance of medical devices. The plan should address how FDA can: (1) increase its focus on manufacturers' identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate risks during the premarket approval review process; (2) utilize available resources, including those from other federal agencies; (3) leverage postmarket efforts to identify and investigate information security problems; and (4) establish specific milestones for implementing this plan. HHS concurred with GAO’s recommendation and described efforts FDA has initiated in this area.