GAO: Expand Focus on Medical Device Information Security to Include Intentional Threats

The U.S. Food and Drug Administration (FDA) should develop and implement a plan to expand its focus on information security risks for certain types of implantable medical devices that have wireless capabilities, states the U.S. Government Accountability Office (GAO) in an August 31, 2012, report. According to GAO, during FDA’s 2001 and 2006 premarket review of two medical devices that have known vulnerabilities, an implantable cardioverter-defibrillator and an insulin pump, the agency considered information security risks from unintentional threats but not risks from intentional threats. Specifically, FDA considered risks from unintentional threats for four of the eight information security control areas GAO selected for its evaluation—software testing, verification, and validation; risk assessments; access control; and contingency planning.