I was recently interviewed by a prominent medical publication on my thoughts on the FDA’s new policies on wireless management of infusion pumps. This new regulatory guidance allows infusion pump manufacturers to make limited modifications to the wireless capability of their devices without having to initiate a new 510(k) submission process. The goal is to allow for more effective and efficient remote wireless management of deployed devices by the available clinical staff. In this interview, the journalist wanted to understand the inherent security risks and threats to patient health in allowing such unregulated activities by the medical device industry.
I first had to politely correct the interviewer’s premise. The regulatory science behind the FDA’s decision was well-researched, and has informed a very sound policy change. The new guidance is based on the FDA’s belief that the potential security risks being introduced are minimal at best, and are far outweighed by the efficiency gains and clinical benefits. Moreover, even when their activities are unregulated, medical device manufacturers are highly motivated to follow industry best practices for cybersecurity and cybersafety. Indeed, our infusion pump clients have already engaged us to discuss the secure design and implementation of these new capabilities, intent on taking products to market that are every bit as secure as those that have gone through a rigorous regulatory review process.
To quote my interviewer, “You’re not giving me anything!”, and needless to say my remarks never made it to print. Nonetheless, I find it encouraging that there is nothing dire or sensational to say on the matter. The working relationship between regulators, medical device OEMs and the security community is cooperative and highly functional, promoting safe and beneficial innovations such as this one.