JAMA Health Forum – Health Policy, Health Care Reform, Health Affairs | JAMA Health Forum | JAMA Network
[Skip to Navigation]
Sign In
Views 2,372
January 23, 2020

Medical Devices in Harm’s Way: Medjacking

Author Affiliations
  • 1Warren Alpert Medical School, Brown University, Providence, Rhode Island
JAMA Health Forum. 2020;1(1):e200007. doi:10.1001/jamahealthforum.2020.0007

Medtronic, the world’s largest medical device company, has recently recalled several models of its MiniMed insulin pump because of a cyber vulnerability.1 Concerns regarding the prospect of remote app-mediated alterations of insulin delivery featured prominently in the decision.1 With as many as 4000 patients affected, it would seem the hacking of medical devices (known as medjacking) is no longer the stuff of science fiction. Aware of the devastating potential of the evolving cyber landscape for medical devices, the US Food and Drug Administration (FDA) has countered with guidance documents, safety communications, memoranda of understanding, workshops, and webinars to address this concern. In this Insight, we review the evolving cybersecurity policies of the FDA and discuss their all-important role in mitigating and resolving cybersecurity risks for medical devices.

In its first comprehensive guidance for industry on this topic, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, the FDA outlined cybersecurity considerations for manufacturers when preparing premarket submissions for medical devices. The guidance referenced best security practices per the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. In its second guidance, Postmarket Management of Cybersecurity in Medical Devices, the FDA laid out its cybersecurity recommendations for “marketed and distributed medical devices” with a special emphasis on the need to address cybersecurity throughout a device’s life cycle. It was in this context that manufacturers were encouraged to join information sharing and analysis organizations (ISAOs). As a deliverable of Executive Order 13691 issued by President Obama, these organizations are designed to promote cybersecurity information sharing and collaboration within the private sector and between the private sector and government.2 Manufacturers who meet the criteria for participation in an ISAO are exempted by the FDA from reporting low-risk vulnerabilities patched within a designated time period.

The latest iteration of the premarket guidance was designed to inform end users of medical devices through a cybersecurity bill of materials.3 To be furnished by the manufacturer, this tool provides “a list that includes but is not limited to commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.”3 Designed to assist hospitals and other end users in countering a cyberattack, it is meant to assist end users in resolving potential threats to medical devices while awaiting further support from the device manufacturer.3 However, concerns persist that unauthorized access to this technical information could invite misuse by malicious actors.4 The updated guidance also seeks to address the growing number of outdated legacy devices that are difficult to secure.3 The liabilities incurred by end users of legacy devices may be incalculable.5 Preventing next-generation medical devices from a similar fate could require that manufacturers specify in their premarket submission the security modifications planned for medical devices across their life cycle.3

A number of software vulnerabilities have been identified in FDA-approved medical devices that, if exploited, could have resulted in patient harm. A verified report of such vulnerabilities triggers the posting of a Medical Device Safety Communication by the FDA.6 In so doing, the FDA apprises the end-user community of exploitable cybersecurity flaws in approved devices, including the associated risks, corrective actions by manufacturers, and next steps for consumers. One such communication from October 1, 2019, detailed 11 vulnerabilities that “may allow anyone to remotely take control of the medical device.”6 As many as 200 million medical devices could be subject to these “Urgent/11” liabilities. Left unattended, these vulnerabilities could allow an unsanctioned user to wirelessly hack medical devices within a finite geographic radius. Dire consequences could include altered drug delivery, interrupted dialysis care, or activated implantable defibrillators. To date, however, no reports of harm due to compromise of a medical device have reached the FDA.6

Going forward, the FDA plans to develop a public-private CyberMed Safety (Expert) Analysis Board.7 As outlined by former FDA Commissioner Scott Gottlieb, the proposed interdisciplinary response team could rapidly deploy to assist stakeholders in the management of high-risk vulnerabilities.7 This board may also be tasked with vetting cybersecurity data alongside independent cybersecurity researchers and medical device manufacturers.7 The FDA is also poised to finalize a Common Vulnerability Scoring System to standardize cyber-threat assessments in the health care setting. Finally, the FDA plans to determine how “unlocked” artificial intelligence and machine learning algorithm-based software will fit within the existing cybersecurity framework.8

The role of physicians in medical device cybersecurity remains a work in progress. If past cyber assaults on hospitals’ computer systems are an indication, physicians have yet to assume a key role in resolving cyber threats.9 Physicians may benefit from clinical simulation training that highlights the overt signs of medical device compromise, helping them to detect the early signs of a cyber threat and consider the possibility of cyber corruption in the absence of obvious alternative explanations. Physicians can also advocate for greater cybersecurity of medical devices through participation in professional organizations, FDA workshops, and congressional hearings.

Improved functioning of digital medical devices can enhance health care quality and safety. At the same time, the use of these devices leaves patients and health care organizations vulnerable to cyberattacks. This tension throws the cybersecurity portfolio of the FDA into sharp relief. The FDA, medical device manufacturers, and health care professionals must therefore remain vigilant in preventing essential medical devices from being maliciously hacked, or medjacked.

Back to top
Article Information

Open Access: This is an open access article distributed under the terms of the CC-BY License. © 2020 Adashi EY et al. JAMA Health Forum.

Corresponding Author: Eli Y. Adashi, MD, MS, Warren Alpert Medical School, Brown University, 272 George St, Providence, RI 02906 (eli_adashi@brown.edu).

Conflict of Interest Disclosures: Dr Adashi reported receiving personal fees for serving as co-chair of the Safety Advisory Board of Ohana Biosciences. No other disclosures were reported.

Voelker  R.  Insulin pumps could be hacked.   JAMA. 2019;322(5):393-393.PubMedGoogle Scholar
 Promoting private sector cybersecurity information sharing, Exec. Order No. 13691 , 3 CFR 13691. https://www.govinfo.gov/app/details/CFR-2016-title3-vol1/CFR-2016-title3-vol1-eo13691/summary. Accessed January 10, 2020.
US Food and Drug Administration. Content of premarket submissions for management of cybersecurity in medical devices: draft guidance for industry and Food and Drug Administration staff. https://www.fda.gov/media/119933/download. October 18, 2018. Accessed December 29, 2019.
Advanced Medical Technology Association. Re: docket No. FDA-2018-N-1315: medical device safety action plan: protecting patients, promoting public health [letter to the US Food and Drug Administration]. https://www.advamed.org/sites/default/files/resource/advamed_comments_on_dkt_no_fda-2018-n-1315_medical_device_safety_action_plan.pdf. Accessed December 29, 2019.
American Hospital Association. Re: supported lifetimes request for information [letter to the Congressional Energy and Commerce Committee and its Subcommittee on Oversight and Investigations]. https://www.aha.org/system/files/2018-06/180531-letter-house-energy-commerce-legacy-tech.pdf. May 31, 2018. Accessed December 29, 2019.
US Food and Drug Administration. URGENT/11 cybersecurity vulnerabilities in a widely-used third-party software component may introduce risks during use of certain medical devices: FDA safety communication. https://www.fda.gov/medical-devices/safety-communications/urgent11-cybersecurity-vulnerabilities-widely-used-third-party-software-component-may-introduce. October 1, 2019. Accessed December 29, 2019.
US Food and Drug Administration. Statement from FDA commissioner Scott Gottlieb, MD, on new efforts to enhance and modernize the FDA’s approach to medical device safety and innovation. https://www.fda.gov/news-events/press-announcements/statement-fda-commissioner-scott-gottlieb-md-new-efforts-enhance-and-modernize-fdas-approach-medical. April 16, 2018. Accessed December 29, 2019.
Hwang  TJ, Kesselheim  AS, Vokinger  KN.  Lifecycle regulation of artificial intelligence- and machine learning-based software devices in medicine.   JAMA. 2019;322(23):2285-2286. doi:10.1001/jama.2019.16842PubMedGoogle ScholarCrossref
Cohen  IG, Hoffman  S, Adashi  EY.  Your money or your patient’s life? ransomware and electronic health records.   Ann Intern Med. 2017;167(8):587-588. doi:10.7326/M17-1312PubMedGoogle ScholarCrossref
Limit 200 characters
Limit 25 characters
Conflicts of Interest Disclosure

Identify all potential conflicts of interest that might be relevant to your comment.

Conflicts of interest comprise financial interests, activities, and relationships within the past 3 years including but not limited to employment, affiliation, grants or funding, consultancies, honoraria or payment, speaker's bureaus, stock ownership or options, expert testimony, royalties, donation of medical equipment, or patents planned, pending, or issued.

Err on the side of full disclosure.

If you have no conflicts of interest, check "No potential conflicts of interest" in the box below. The information will be posted with your response.

Not all submitted comments are published. Please see our commenting policy for details.

Limit 140 characters
Limit 3600 characters or approximately 600 words