Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices.
FDA recently warned of cybersecurity risks to Hospira’s Symbiq Infusion System, a computerized pump designed for the continuous delivery of general infusion therapy. According to FDA, Hospira’s infusion pump can be accessed remotely through a hospital’s network, allowing an unauthorized user to control the device and change the dosage the pump delivers. Given this risk, FDA issued an alert to health care facilities to “strongly encourage” them to discontinue use of Hospira’s pumps and transition to alternative infusions systems. The agency acknowledged, however, that it was not aware of any adverse events or unauthorized access of Hospira’s pump in a health care setting. FDA recommends health care facilities follow the good cybersecurity hygiene practices outlined in the FDA Safety Communication Cybersecurity for Medical Devices and Hospital Networks, posted in June 2013.
Over the past few years, the agency’s efforts in promoting cybersecurity have led it to collaborate with other agencies and organizations. Last September, FDA announced its partnership with the National Health Information Sharing & Analysis Center, Inc. (NH-ISAC), a non-profit organization focused on advancing health sector cybersecurity. The collaboration, formalized through a Memorandum of Understanding, includes a goal to develop a shared risk-assessment framework to help the health care industry better assess and mitigate cybersecurity risks that affect their products.
NIST is also directing its efforts toward promoting cybersecurity. Recognizing that use of mobile devices to store, access, and transmit electronic health records is outpacing the privacy and security protections on those devices, NIST recently issued a draft practice guide, “Securing Electronic Health Records on Mobile Devices.” This is the first in a planned series of publications on improving cybersecurity across industries through the use of standards-based, commercially available or open-source tools.
According to NIST, medical identity theft costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions. Indeed, patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack, NIST reports.
Packaged as a “How To” guide, the draft practice guide provides organizations with best practices for securing health care data on mobile devices. Specifically, the guide describes the best practices in a hypothetical scenario in which a primary care physician uses a mobile device for routine, recurring activities such as sending a referral containing a patient’s clinical information to another physician, or sending an electronic prescription to a pharmacy. NIST is taking public comments on the practice guide through September 25.