If medical devices have cybersecurity problems, the U.S. Food and Drug Administration doesn't want to stand in the way of companies moving quickly to fix them.
"This isn't about the FDA being your adversary. This is not about you being compliant. This is about the other adversaries that we know exist out there, and working together so we can protect this critical infrastructure," said Seth Carmody, cybersecurity project manager with the FDA.
Carmody spoke Monday to a roomful of health care executives attending AdvaMed 2016, a medical device industry conference at the Minneapolis Convention Center through Wednesday, about one of the bigger growing concerns in the medical device industry.
During his remarks, Carmody noted that an exemption to the Digital Millennium Copyright Act might soon allow the public to legally probe medical devices and find security vulnerabilities. "So you may have people knocking on your door about vulnerabilities," he said.
Looking the other way is not the correct response, even if the device is old or was made by a different company.
Rather, the FDA wants a company to do a full risk assessment and if a risk is severe, to do a "coordinated disclosure" of information about vulnerabilities and solutions.
Today about 14 billion devices are connected to the internet, including some bedside drug-infusion pumps in hospitals and pacemakers implanted in patients' chests. The number of devices in this "Internet of Things" is projected to jump to 50 billion by 2020, making cybersecurity a top issue in coming years.
"Adversaries" in the medical device cybersecurity realm would include hackers targeting individual devices and systems, and older computer viruses still floating around the internet that could create chaos if they find their way into unpatched networks.
In theory, a malicious hacker could compromise a device and then cause medical harm to a patient by causing an error in drug dosing or draining a device's battery, but no case of this happening has been documented. Hackers have targeted hospital networks and demanded ransom in exchange for unlocking the hospital's computer system. Devices could also theoretically be hacked to secretly transmit patients' health and financial data outside the hospital, where it could be exploited for identity theft.
In the past two months, two major medical device companies have been hit with cybersecurity headaches.
On Oct. 4, Johnson & Johnson announced cybersecurity vulnerabilities that would allow a person to remotely control a One Touch Ping insulin pump. The company published a letter to patients on how to minimize what it called the low risk of that happening, in consultation with regulators and security experts.
On Aug. 25, a short-selling financial firm announced it had discovered what it called major cybersecurity problems with implantable heart devices made by Little Canada-based St. Jude Medical. St. Jude Medical called the claims false and sued for defamation, while also examining the alleged problems.
On Monday, St. Jude announced the formation of a Cyber Security Medical Advisory Board of experts to help the company "as we continue to advance cyber security standards in the medical device industry by working with experts and government agencies," a St. Jude news release said. St. Jude has long collaborated with regulators on cybersecurity issues.
Working closely with government agencies to deal with perceived or potential weaknesses in devices may not come naturally for people who have worked in the med-tech industry for years.
Carmody recounted recent phone calls from medical device security officials who said they were interested in having an "informal chat" with FDA officials, but other people in their companies had advised them not to share information with the FDA.
"It's different. Cybersecurity is going to be a group effort, a whole community approach," Carmody said. "The FDA isn't an adversary. We have real adversaries, real threats out there. We need to work together."