Several vulnerabilities have recently been identified in medical devices such as insulin pumps, infusion pumps, and pacemakers which could be exploited in malicious attacks that could potentially kill patients and concern is growing about the threat of attacks.
Recently, researchers at McAfee identified two B. Braun drug infusion pumps that had a vulnerability that could be remotely exploited by hackers to deliver double doses of medications, which could cause serious injury or death. On October 5, 2021 Medtronic expanded a product recall to include remote controllers used with some of its insulin pumps. All MiniMed Remote Controllers used with Medtronic MiniMed 508 or the MiniMed Paradigm family of insulin pumps have been recalled due to a security vulnerability that would allow an attacker to stop insulin delivery or increase delivery, resulting in serious injuries or death.
While there have been no known cases of vulnerabilities in medical devices being exploited to cause harm to patients, many security experts believe it is only a matter of time before bad actors conduct attacks and the public is naturally concerned.
This month, the U.S. Food and Drug Administration (FDA) has released a set of best practices for communicating medical device vulnerabilities to patients. The document has been created for industry stakeholders, federal partners, and other stakeholders who are responsible for communicating cybersecurity vulnerabilities to patients and caregivers. The best practices incorporate feedback received from the public on previous draft guidance released by the FDA on the information that needs to be included and how it should be presented.
The best practices include helpful information on elements to consider when developing a cybersecurity communication strategy, such as interpretability, risk, and benefits, acknowledging and explaining the unknown, availability and findability of information, the structure of the communication material, and outreach and distribution vehicles.
Often it is necessary to communicate complex messages, but they need to be worded in clear and plain language to ensure patients and caregivers understand. When communicating security vulnerabilities to patients, it is important to keep guidance as simple as possible to avoid any misunderstandings. Terminology should be used that the target audience understands, and care should be taken to ensure communications can be understood by a diverse audience. Ideally, pilot testing a communication is recommended to assess whether it is achieving its intended purpose.
Patients and caregivers should be notified as early as possible if a vulnerability poses a risk to patient safety. “Early access to serious cybersecurity vulnerability information may provide assurance to patients and empower them to take early action to avoid any potentially harmful consequences to their health,” said the FDA. Prompt communications can also help to build trust with patients and caregivers.
Patients and caregivers provided feedback confirming risk and urgency are important. They need to have the risk clearly explained to them near the start of the communication and want to know about the urgency of the request and have critical information emphasized.
The communications also need to have a call to action that is easily accessible, explaining the steps that need to be taken to mitigate risks. It is also important to discuss the risks and benefits if the probability of exploitation is not known.
“If something is not known at the time of the communication, messengers could consider acknowledging and explaining to the audience the unknown information so that this is not perceived as an omission (intentional or unintentional) or an oversight,” suggests the FDA.
Several channels should be considered for sending notifications, including patient listservs, emails, text messages, and websites. Regarding the latter, it is recommended to engage in search engine optimization to ensure communications can easily be found online about medical devices.
“As the use of connected medical devices increases and cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful, it is increasingly important for the FDA, industry, and other messengers to consider ways to improve on cybersecurity safety communications,” concluded the FDA. “Sharing information about cybersecurity vulnerabilities with patients and caregivers helps them make informed decisions about their health and their medical devices.”