The FDA has issued a 30-page document addressing cyber vulnerabilities in medical devices, providing manufacturers with guidelines for fixing security bugs in equipment, including pacemakers, insulin pumps, and imaging systems, according to a Reuters report.

The agency released the guidance as it investigates claims that heart devices from St. Jude Medical, Inc., are vulnerable to life-threatening hacks. The allegations, which surfaced in August, underscore the need for government rules on identifying and mitigating the impact of security vulnerabilities in medical equipment, the agency said.

A growing number of medical devices are designed to be networked to facilitate patient care, the document points out. However, like other networked computer systems, networked medical devices incorporate software that may be vulnerable to cybersecurity threats.

According to Suzanne Schwartz, a senior FDA official who helped draft the new rules, these threats are real, ever-present, and continuously changing. “And as hackers become more sophisticated, these cybersecurity risks will evolve,” she said.

The FDA document states that the agency “recognizes that medical device cybersecurity is a shared responsibility among stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”

In February 2013, President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” which recognized that “resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States.” The following year, the FDA issued guidance on how manufacturers should address cybersecurity when developing new products, although the rules did not cover equipment that was already on the market. In 2015, the agency advised hospitals to stop using one of Hospira’s infusion pumps, saying a security vulnerability could allow cyber attackers to take remote control of the system.

The new guidelines detail how manufacturers can identify and fix cyber vulnerabilities in marketed products.

Sources: Reuters; December 27, 2016; and FDA Guidance; December 28, 2016.

More Headlines

Symptoms worsened significantly in two patients after treatment
Treatment compares favorably with Enbrel
Other indications include CLL and macroglobulinemia
ESMO position paper offers important advice
Treatment controls cataplexy in patients with narcolepsy
Controversial topic gets spotlight at Critical Care Congress
Findings raise concern about money’s influence on evidence base

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.