MCN Healthcare: Policy Management and Compliance Tools

The U.S. Food and Drug Administration (FDA) is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

According to the FDA, many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.

Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including:

• Network-connected/configured medical devices infected or disabled by malware;

• The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;

• Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);

• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);

• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

The FDA is not aware of any patient injuries or deaths associated with these incidents nor do they have any indication that any specific devices or systems in clinical use have been purposely targeted at this time.  The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified.

The FDA Safety Communication has recommendations for device manufacturers as well as health care facilities. 

The FDA is recommending that health care facilities take steps to evaluate network security and protect your hospital system. In evaluating network security, hospitals and health care facilities should consider:

• Restricting unauthorized access to the network and networked medical devices

• Making certain appropriate antivirus software and firewalls are up-to-date

• Monitoring network activity for unauthorized use

• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services

• Contacting the specific device manufacturer if there us suspicion of a cybersecurity problem related to a medical device. If unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution

• Developing and evaluating strategies to maintain critical functionality during adverse conditions.

Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If a confirmed or suspected cybersecurity event has impacted the performance of a medical device or has impacted a hospital network system, the FDA encourages reporting through MedWatch, the FDA Safety Information and Adverse Event Reporting program.

Included with today's notice are policies and procedures related to the FDA Guidance on preventing cybersecurity attacks.  Organizations will find that many of the recommendations included in this FDA guidance are already required by existing HIPAA regulations.

The Centers for Disease Control and Prevention has issued a Health Advisory with resources for providers and recommendations for patient care during the national shortage of Doxycycline.  The Food and Drug Administration (FDA) originally reported a shortage of some forms of doxycycline (doxycycline hyclate) and unavailability of tetracycline on January 18, 2013, caused by both increased demand and manufacturing issues. The FDA continues to report shortage from some, but not all, manufacturers of some dosages and forms of doxycycline hyclate and doxycycline monohydrate.

The FDA does not currently report a shortage of intravenous doxycycline hyclate or the oral suspension doxycycline calcium commonly used in pediatric patients.

The CDC Health Advisory Notice provides advice on alternatives to doxycycline when available, as well as situations where there is no recommended alternative to doxycycline.

Background

Doxycycline is a broad-spectrum, bacteriostatic antibiotic used to treat a variety of diseases. For many indications, doxycycline is one of several options available for patients. However, for rickettsial infections, doxycycline is the treatment of choice. No data are available to recommend minocycline as an equally effective alternative to doxycycline for any of the diseases mentioned. Additionally, the spectrum of adverse effects with minocycline is higher than that for doxycycline. Tetracycline may be a suitable alternative for some diseases and indications; however, a similar shortage of tetracycline has been reported.

Recommendations:

• Doxycycline should be used to treat suspected rickettsial infections; no alternatives can be recommended that have the same proven degree of efficacy in limiting fatal outcome. Because treatment delay can result in adverse or fatal outcome, planning for doxycycline availability is essential.

• Doxycycline is the recommended drug for prophylaxis of Lyme disease; alternatives have not been tested for efficacy. Providers should be judicious in its use following a tick bite.

• Doxycycline should still be used for the prophylaxis and treatment of malaria according to the standard recommendations.

• Alternatives exist for the treatment of STDs and Lyme disease - Providers should use clinical judgment in making treatment and prophylactic decisions. Refer to the links in the Health Advisory, a link to which is provided below.

Detailed explanation of the rationale for these recommendations can be found in the Health Advisory.  Doxycycline is currently available from most manufacturers, although providers may need to explore new contracts for procurement; projected return to availability for the one manufacturer reporting a shortage is uncertain, but is currently projected by September 2013, based on information provided by FDA. Health care professionals should ensure they have access to doxycycline for the listed indications, and advance planning is essential to ensure treatment is not delayed. Those who encounter difficulty ordering doxycycline or increased pricing from their usual suppliers should contact alternate distributors or directly contact the manufacturers. In circumstances where outages and increased pricing occur, health-care professionals should contact their state health department to inquire about other procurement options.

Follow the links below for additional information.

The US Food and Drug Administration (FDA) and Symbios are informing the public of a Class 1 Recall of all GoPump Rapid Recovery System kits and GOBlock Kits manufactured with flow control components assembled prior to July 2012.The affected products may have excessively high flow rates. As a result, medications could be delivered too quickly from the balloon to the surgical site and cause patient toxicity due to the rapid influx of medication. This can lead to serious illness, including seizure, abnormal heart rhythms and death. Elderly patients and patients with low body mass are at high risk of these complications.

The Symbios GOPump Rapid Recovery System is a disposable local pain management system that consists of a small balloon that is inflated with a local anesthetic medication. The medication is delivered slowly through tubes from the balloon to the surgical site.

Please see the Recall Notice with listing of all the lot numbers affected. Customers who have purchased the affected devices were notified by letter dated May 10, 2013 about the problem. Follow-up letters were sent on May 14, 2013 and May 30, 2013 notifying customers of additional recalled lots. Symbios is working to secure all affected product and have it returned.