CDRH Moves Suspiciously Fast on Medical Device RF Safety

By Jim Dickinson

Propelled by rising congressional and public concerns about cyber security, CDRH moved with unusual speed in August to finalize and release a new guidance document intended to assist industry and FDA staff in identifying and addressing specific considerations related to using radio frequency (RF) wireless technology in medical devices. The move came only two months after CDRH issued a special appeal to medical device manufacturers to strengthen their products against cyber attacks.

Typically, FDA does not move this swiftly in issuing run-of-the-mill advisory documents, so something is definitely brewing in the governmental background. Exactly what that is you’re not likely to learn from usual sources since the government maintains a fierce, wartime silence in all matters involving security of any kind.

No known criminal or terrorist hacking into medical devices has yet occurred, although there have been fictitious incidents in the entertainment media that experts have said are scientifically credible. On Showtime’s “Homeland” television drama series, the Vice President of the United States was assassinated by hackers who had accessed his pacemaker and delivered a fatal electric shock.

The AFP newswire quoted the late notable device hacker Barnaby Jack at the security firm IOActive as saying this kind of attack is feasible and his own research into a major firm’s pacemakers and defibrillators had found them to “to be particularly vulnerable” and that from 30 to 50 feet from the devices “I can retrieve the credentials needed to interrogate the individual implants remotely.”

What's far more likely is that malware will unintentionally disrupt or disorder RF wireless medical device functioning. And it is this risk that CDRH has moved so swiftly to address, citing the increasing number of such devices operating in an increasingly crowded RF environment.

The FDA guidance, Radio Frequency Wireless Technology in Medical Devices, highlights and discusses RF wireless technology considerations that can have an effect on the safe and effective use of medical devices. “These considerations include the selection of wireless technology, quality of service, coexistence, security, and electromagnetic compatibility (EMC),” it says. “Consideration of these areas can help provide reasonable assurance of safety and effectiveness for medical devices that incorporate RF wireless technology, and are supplementary to other device-specific guidances or guidelines.”

The document also provides recommendations for information to be included in FDA premarket submissions for devices that use RF wireless technology. The guidance asks designers and manufacturers of wireless medical device to consider how well a device will function in environments alongside other RF wireless technologies. For wirelessly enabled devices, risk management should include “considerations for robust RF wireless design, testing, deployment, and maintenance throughout the life cycle of the product.”

Examples of potentially problematic wireless-related hazards and effects include:

The document also covers design validation and requires manufacturers to include risk analysis of RF wireless communications and control functions as part of their design validation of a wireless medical device under 21 CFR 820.30(g).

“Because it is possible for an electromagnetic disturbance (EMD) to affect important medical device functions, mitigation measures for some risks could aid the device operator in recognizing a hazardous situation and taking action to prevent harm,” the guidance says. “For example, design validation might reveal that steps to reestablish an RF wireless connection such as re-initialization could compromise safety under some use conditions.”

The guidance can be downloaded here.