S130: Cybersecurity Vulnerabilities of Medical Devices: An Examination of Recalls Issued by the US FDA
Ngoctran Thi Tran
University of Southern California School of Pharmacy United States
The objective was to assess the nature of FDA medical device recalls that were based on cybersecurity issues to identify which product types and therapeutic areas are most impacted so that the results can inform product developers and policy makers.
A list of medical devices recalled because of cybersecurity vulnerabilities was developed from information available on FDA.gov. These recalls were categorized according to relative degree of risk (device class and recall class), therapeutic areas, and corrective actions taken by manufacturers.
All medical devices are classified based on their relative degree of risk where class I devices pose the lowest relative degree of risk to the end-user and class III devices pose the highest. Preliminary results show that, to-date, a total of 38 devices were recalled due to cybersecurity vulnerabilities. Of these devices, 3% (1/38) are class I devices, 39% (15/38) are class II, and 58% (22/38) are class III. When a product is recalled, the recall is given a distinct classification that is also based on its relative degree of risk such that a class I recall is considered to have the highest relative degree of risk whereas a class III recall has the lowest. Of the 38 previously mentioned devices that were recalled, 5% (2/38), 87% (33/38), and 8% (3/38) belong to recall classes I, II, and III, respectively.
The recalls were primarily confined to two therapeutic areas: diabetes and cardiovascular. Half of the recalls were for devices indicated for use in the management of diabetes mellitus (50%, 18/38) and the other half for use in the management of cardiovascular diseases (50%, 18/38). Device types included insulin pumps (18/38), defibrillators (11/38), intra-aortic balloon pumps (2/38), pacemakers (1/38), telemetry/ cardiac electrophysiology/ vital signs monitors (4/38), and chemistry analyzers (2/38). Additionally, 32% (12/38) of the devices were implantables, while 29% (11/38) were life-sustaining/life-supporting.
Lastly, most corrective actions involved software updates (50%, 19/38) and device upgrades (42%, 16/38). All of the corrective actions for implantable devices (pacemakers and defibrillators) so far have been software updates. For implantable devices not eligible for software updates, wireless communication capability can be permanently disabled.
Although there have been few (5%, 2/38) serious class I recalls due to cybersecurity issues, the majority (58%, 22/38) are for class III medical devices, which are usually used to sustain or support life, are implanted, or present potential unreasonable risk of illness or injury. Additionally, many patients are affected by these cybersecurity recalls as insulin pumps and defibrillators are used widely in many patients with diabetes and cardiovascular disease. Finally, these results indicate the importance of updating capabilities for older (legacy) devices, especially for those that are implanted since there are risks associated with the procedures for device removal. Therefore, a greater emphasis should be placed on software update capabilities during the design and development phase to keep up with an ever-changing technological landscape.
Future research should aim to analyze cybersecurity routine updates and patches for these devices that have been recalled. This includes changes to product labeling, such as the instructions for use, to strengthen cybersecurity through increased end-user education as recommended by the Food and Drug Administration in their 2016 final guidance titled, “Postmarket Management of Cybersecurity in Medical Devices”.