Lawmaker Calls on Devicemakers to Combat Cybersecurity Vulnerabilities

Sen. Barbara Boxer (D-Calif.) is urging leading medical device manufacturers to take steps to address concerns that cybersecurity vulnerabilities are putting patients at risk.

Boxer raised the issue in a Feb. 5 letter sent to Johnson & Johnson, GE Healthcare, Siemens USA, Medtronic and Philips North America — five companies that jointly control more than one-quarter of the global device market.

“The actions your companies take to reduce medical device vulnerabilities exponentially reduce the global risk of medical device cyberattacks and send a powerful signal to the entire industry of the importance of good cybersecurity practices,” Boxer says in the letter.

Last spring, an independent security researcher disclosed a vulnerability in certain drug infusion pumps used in hospitals all across the country, she points out. The weakness allowed the researcher to infect the device software with malicious code and manipulate the pump’s drug dosage levels (IDDM, Aug. 7, 2015).

“If this vulnerability had been discovered by a bad actor, thousands of patients could have been put at risk,” Boxer says.

She emphasizes that conducting ongoing vulnerability testing on these devices is a critical component to ensuring patient safety, as there are currently no well-established standardized processes for identifying and remediating cybervulnerabilities in medical devices. An estimated 36 billion devices will be connected to the Internet by 2020, with many likely located in hospitals in the U.S.

The FDA highlighted this issue last month, releasing draft guidance for postmarket management of cybersecurity in medical devices (IDDM, Jan. 22).

Siemens complies with HHS security and privacy regulations to help customers meet their own IT obligations, says company spokesman Lance Longwell.

“Siemens is not aware of any safety incidents that have occurred as a consequence of security vulnerabilities in our medical devices. This does not lessen our commitment to maintain a strong focus on product security and help our customers protect their data,” he tells IDDM.

Longwell says the company actively monitors reported potential vulnerabilities and incidents from sources — including customers, vendors, security researchers and government agencies — and cooperates with them when addressing reports.

GE agrees with Boxer that advanced cybersecurity protection is important to the healthcare industry, says spokesman Benjamin Fox. The company will continue to work with the FDA, industry and other stakeholders to support initiatives in the healthcare space to enhance cyber readiness, he tells IDDM.

GE intends to respond to Boxer’s letter soon, Fox adds. J&J spokesman Mark Wolfe says the company is in the process of finalizing its response the letter. Medtronic and Philips could not be reached for comment by press time.

JC Scott, AdvaMed’s senior executive vice president of government affairs, says manufacturers have numerous, rigorous safeguards and quality measures in place to ensure the security and integrity of their devices.

“We are actively working with FDA on their ongoing efforts to raise awareness about potential cybersecurity concerns,” he tells IDDM.

Read the letter here: www.fdanews.com/02-16-BoxerLetter.pdf. — Jonathon Shacat