A new study in the journal Public Library of Science (PLoS) One assesses the security features of medical devices, and finds US regulators are doing a poor job at assuring the long-term integrity of the devices.
The study, "Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance," specifically looks at the emergence of medical devices with wireless connectivity and software-based devices connected to facility networks. "These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting," explain the researchers.
Led by Daniel Kramer of Harvard Medical School, the seven researchers involved in the study utilized weekly enforcement reports maintained by the US Food and Drug Administration (FDA), as well as reports of device recalls and adverse event reports.
Researchers found 1,845 medical device recalls, with 15.1% of the recalls related to software issues and a further 49.8% related to mechanical problems. A total of 1.7% of all recalled devices were capable of wireless connectivity.
Despite the small number of wireless devices, they represented a disproportionate number and severity of recalls, the authors wrote. "Though storage of patient data and wireless communication were relatively uncommon features of implanted devices, these features were often adjudicated to be responsible for recalls of devices utilizing them."
"For example, 301 (49.8%) of devices with computers that were recalled had computing functions as the reason for the recall itself," explained the authors. "Six (17.1%) of the 35 devices storing patient data had recalls originating from this function, and 6 (19.4%) of the 31 devices using wireless communication had recalls originating from this function."
Potentially Deadly Errors
Though regulators may immediately think of the security concerns related to wireless devices-the subject of a recent homeland security report-the authors identified some more benign-sounding but equally dangerous examples of wireless devices failing under certain conditions.
One example cited by authors is CareFusion's Alaris PC Unit, which was recalled after the manufacturer was made aware of communication errors occurring under "Certain wireless network conditions." The errors could lead to a "delay of therapy," resulting in "serious injury and/or death," wrote CareFusion.
The authors were only able to find one security-related recall, which was related to a "failure of security measures designed to restrict access to the console."
Regulators would do well to take notice of the conclusions of the study, write the authors. "This again suggests that the classification of postmarket events may not be well-positioned to prospectively collect security or privacy related problems," they write. "The … current surveillance mechanisms may be insufficiently tailored to these specific problems."
The authors go on to suggest more specific reporting categories for security-related events, clearer instructions for how to correct security problems, and for regulators to focus more on understanding security and privacy issues.
"While this study provides some comfort in the lack of observed security or privacy breaches, the related adverse events or device malfunctions are not served well by the current approach to postmarket surveillance.," conclude the authors.
PLoS One - Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance