News

GAO releases report on Medical Device Information Security

10/15/12

As the number of medical devices using wireless and computer-assisted technology increases, the Government Accountability Office (GAO) performed this study to determine what regulatory agencies, such as the FDA, should consider in order to mitigate risk to the patient. Wireless technology can be corrupted through accidental incidents - such as interference from electromagnetic energy- or intentional by unauthorized access. While intentional tampering with wireless medical devices has not yet occurred, researchers have been able to demonstrate how it could be done. In addition software glitches or updates could have extreme negative effects on device performance that also need to be considered.

Therefore, the GAO interviewed members from the FDA, Dept. of Homeland Security, and National Institute of Standards and Technology (NIST) that regulate these type of devices in order to develop ideas for best practices, particularly in protecting against intentional tampering. While the FDA has provided guidance to defend against unintentional threats, they have not explored protection against intentional acts. ISO and the International Electrotechnical Commission (IEC) have provided rules for information security in order to assess and mitigate risk for medical devices.

This report provides suggested management for information security, risks involved, and real examples to assist in securing medical device safety. As a result of this report, the FDA plans to review its current practices in the near future.

To read the full report: http://www.gao.gov/assets/650/647767.pdf