What Could Make Your Medical Devices Go Haywire?

Leigh Page


August 27, 2013

In This Article

Safety Advice for Medical Practices

Dr. Halamka noted that physicians' offices often have medical devices that can plug into networks, such as radiography and electrocardiography equipment, patient monitors, and IV pumps, but personnel may not understand that the devices need protection using firewalls and antivirus software. "They might not even know that the thing they are buying has a computer inside it," he said.

W. Reece Hirsch recommended some steps for practices to protect their devices, such as making sure antivirus software and firewalls are up to date, asking for security patches from manufacturers, and phasing out old devices. These steps were also recommended in the recent FDA safety communication.

Hirsch said practices that do not protect their medical devices may be in violation of the HIPAA security rule.[4] The rule, written many years ago, does not specify medical devices, but it does require safeguards for computers and medical devices run on computers. He also said practices should include medical devices when they carry out their regular HIPAA risk assessment, and they should include devices in their HIPAA-required workforce training.

Draft Guidance Addresses Problems

The FDA's new draft guidance, which could be finalized next year, may resolve some of the chief problems with medical devices. According to the draft, manufacturers would need to have "a systematic plan for providing validated updates and patches" and provide instructions on recommended anti-virus software and firewall use that are "appropriate for the environment of use."[2]

Liebler, the device industry representative, does not object to the proposed guidelines. "They are not incredibly burdensome," he said. "They are not a bad idea. We're not going to be objecting. We're going to want some clarification, but that's life."

Critics of the manufacturers, however, have some concerns. Dr. Halamka said the draft only deals with new devices going through the FDA approval process and not existing devices. Neely said he hopes the final version will have more specifics.

"The regulatory process could take years to catch up with the developments we've seen just in the past few years," he said. Neely added that as healthcare becomes more interconnected, the problems with medical devices are going to become more obvious.

Medical device vulnerabilities are already capturing the popular imagination, said Hirsch, the attorney. On the TV show Homeland, a hacker-assassin kills the Vice President of the United States with wireless signals that make his pacemaker go haywire. "I'm told this is possible in theory, but not likely in the near future," he said.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.