The U.S. Government Accountability Office has issued a report, urging the FDA to expand its consideration of information security for certain types of medical devices.
During a 2001 and 2006 premarket review of two medical devices (an implantable cardioverter defibrillator and an insulin pump) that have known vulnerabilities, the FDA considered information security risks from unintentional threats in four areas: software testing, verification and validation; risk assessments; access control; and contingency planning.
However, GAO found the FDA did not consider information security risks from intentional threats for these areas, nor did the FDA review risks of either unintentional or intentional threats for the remaining four information security control areas: risk management, patch and vulnerability management, technical audit and accountability and security-incident-response activities.
GAO has recommended the FDA implement a plan that includes at least four actions:
1. Increase its focus on manufacturers' identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks and strategies to mitigate these risks during its postmarket review process.
2. Utilize available resources, including those from other entities.
3. Leverage postmarket efforts to identify and investigate information security problems.
4. Establish specific milestones for completing this review and implementing these changes.
Sign up for our FREE E-Weekly for more coverage like this sent to your inbox!
During a 2001 and 2006 premarket review of two medical devices (an implantable cardioverter defibrillator and an insulin pump) that have known vulnerabilities, the FDA considered information security risks from unintentional threats in four areas: software testing, verification and validation; risk assessments; access control; and contingency planning.
However, GAO found the FDA did not consider information security risks from intentional threats for these areas, nor did the FDA review risks of either unintentional or intentional threats for the remaining four information security control areas: risk management, patch and vulnerability management, technical audit and accountability and security-incident-response activities.
GAO has recommended the FDA implement a plan that includes at least four actions:
1. Increase its focus on manufacturers' identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks and strategies to mitigate these risks during its postmarket review process.
2. Utilize available resources, including those from other entities.
3. Leverage postmarket efforts to identify and investigate information security problems.
4. Establish specific milestones for completing this review and implementing these changes.
More Articles on Patient Safety:
NCQA Releases Latest Physician and Hospital Quality Certification Program
Mandatory Quality Reporting for Surgery Centers Begins Today
Study Finds Wide Discrepancy in Multidrug Surveillance Practices in ICUs
