The Internet of Things (i.e., physical devices that can connect to the internet wirelessly) is everywhere — in cars, in household appliances, even our bodies. And while there are endless potential benefits to having smart wireless devices that can perform tasks more efficiently by accessing data about our preferences and needs, many fear that the proliferation of wireless physical devices poses a tremendous threat to our collective security and individual privacy. Importantly, a variety of federal agencies are in that “group of the wary,” and they have made clear that they are prepared to regulate the Internet of Things accordingly. One such agency, the Food and Drug Administration (FDA), recently issued much sought after guidance focusing on the security of wireless medical devices: “Radio Frequency Wireless Technology in Medical Devices: Guidance for Industry and Food and Drug Administration Staff,” (the Guidance). The Guidance is available on FDA’s website and applicable to all medical devices that incorporate RF wireless technology.
FDA published the Guidance amidst heightened public and governmental scrutiny of wireless medical devices. The threat of “human hacking” – taking control of someone’s wireless medical device and modifying its functionality to cause harm – recently gained widespread public attention due to the death of Barnaby Jack. Jack, a young, healthy, and well-respected research hacker, was found dead only days before he was to present his technique for hacking defibrillators and pacemakers at a Black Hat conference. While Jack’s work and untimely death set off a flurry of media coverage that introduced wireless medical device vulnerabilities to the general public, the issue had already captured the federal government’s attention. In fact, well before Jack’s death, the US Government Accountability Office released a report stating that the FDA had failed to provide sufficient guidance to medical device manufacturers (MDMs) on mitigating the security risks faced by wireless medical devices. With both the public and other governmental agencies tapping their feet impatiently, FDA released the long called for Guidance and filled it with many agency recommendations for securing wireless medical devices.
In a two-part post, we will address those recommendations, marry them with relevant FDA regulations and prior FDA guidance, and create a general blueprint for MDMs seeking to remain in compliance with FDA regulations for securing wireless medical devices. Part I (below) discusses wireless device quality control protocols that, according to the Guidance, wireless MDMs must implement to remain in compliance with FDA regulations, as well as FDA’s general recommendations for securing wireless medical devices. Part II will provide a summary of FDA’s more technical recommendations and suggest concrete action items for designing, manufacturing, and maintaining wireless medical devices in an era of enhanced FDA supervision.
1.0 FDA Regulations Require Medical Device Manufacturers to Manage Wireless Technology Risks by Implementing a Variety of Controls
Despite the fact that the Guidance focuses primarily on FDA’s recommended mechanisms for securing wireless medical devices, its most important message maybe that an MDM’s failure to implement certain wireless device quality control procedures constitutes a violation of FDA regulations. According to the Guidance, the FDA regulation governing MDM device quality control systems (21 CFR 820) requires MDMs to take the following steps whenever they incorporate RF wireless technology into a medical device:
The Guidance’s interpretation of what 21 CFR 820 requires of MDMs is not to be ignored. Under the regulation, failure to comply with any of its provisions renders a device adulterated under the FDA Act. Further, both the device and the person deemed responsible for the MDM’s failure to comply with 21 CFR 820 are subject to regulatory action, including recall (for the device) and heavy fines (for the person).
Finally, do not be fooled by the fact that the Guidance’s recommendations are technically non-binding. Remember that these recommendations represent the steps FDA believes MDMs should take to meet their obligations under the FDA regulations governing MDMs’ quality control responsibilities (21 CFR 820). Should something go wrong, failure to adhere to at least the spirit of these recommendations will almost certainly increase the pain stemming from any related FDA investigation or enforcement action.
2.0 General FDA Recommendations for Managing the Risks Associated With Wireless Medical Devices
FDA recommends that MDMs fully consider the risks associated with RF wireless technologies while determining which device functions should be made wireless and which device functions should employ wired connectivity. Careful consideration of these risks makes sense, as the failure of a medical device’s wireless functionality could (i) cause serious physical harm to the patient relying on the proper operation of the device, (ii) lead to the unlawful disclosure, acquisition, or use of confidential patient health information, or (iii) cause disturbances in the functionality of any health IT systems to which they are connected.
Accordingly, the Guidance provides that MDMs should address known wireless safety issues early in the device design and development process all the way through to the end of the device’s life cycle. To accomplish this objective, manufacturers should the following components in their wireless risk analysis and management plan:
In addition, MDMs should consider the potential impact of unintended interference and purposeful attempts to disrupt a wireless medical device or an associated device network’s functionality. They should also test the device’s wireless functionality in intended use environments where other RF wireless technologies will likely be located. MDMs should also consider risks to other devices and patients whose wireless connections might suffer from, or be the source of, interference when considering possible adverse outcomes related to a device’s use of RF wireless technology.
2.1 FDA Recommendations for Securing a Device’s Wireless Signals and Wirelessly Transmitted Data
FDA recommends that wireless medical devices secure wireless signals and data at a level appropriate for (i) the risks presented by the medical device, (ii) the device’s environment of use, (iii) the type and probability of the risks to which the device is exposed, and (iv) the probable risks to patients from a security breach.
Of course, wireless devices cannot appropriately secure wireless signals and data unless they are designed and manufactured with these capabilities. Recognizing this, FDA also recommends that MDMs provide justification for their devices’ wireless security capabilities in their premarket submissions. According to FDA guidance, a wireless medical device has justifiable security capabilities where its security features allow users to deploy device-appropriate controls for (i) limiting access to trusted users only, (ii) ensuring the integrity of data transferred to or from the device, and (iii) protecting the device’s critical functionality after a wireless breach.
Some specific wireless security controls listed in FDA guidance, draft guidance, and industry letters include:
For Limiting Access to a Device
For Ensuring the Data Integrity of a Device
For Protecting the Critical Functionality of a Device
Note: FDA has expressed displeasure at the current state of device access controls (particularly those related to password protection) in the medical device industry. Implementation and enforcement of strong password protection requirements and avoiding the use of hardcoded passwords, as well as providing direction to device users concerning same, should be relatively easy to implement and help to keep MDMs off FDA’s enforcement radar.
So that’s it for Part I. Look out for Part II, where we will delve into FDA’s more specific and technical recommendations for securing wireless medical devices.
 FDA first announced this recommendation in draft guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” that FDA issued on June 14, 2013. The Guidance specifically adopts this draft guidance’s approach and recommendations.