Researchers at University of Massachusetts in Amherst and Beth Israel Deaconess Medical Center in Boston (affiliated with Harvard Medical School) uncovered indications that security and privacy problems with medical devices may not be adequately reported or tracked by regulators. The team reported its findings yesterday in the online journal PLoS One.
The computer scientists and medical researchers on the team, led by computer scientist Kevin Fu at UMass Amherst (pictured left) and electrophysiologist Daniel Kramer at Harvard, analyzed databases maintained by the Food and Drug Administration related to computerized medical devices:
- FDA Weekly Enforcement Reports, a comprehensive list of product recalls, from January 2009 through May of 2011, focusing on medical devices
- Medical and Radiation Emitting Device Recalls, January 2002 through November 2011
- Manufacturer and User Facility Device Experience, a report of adverse events related to medical devices, from January 2000 through November 2011
The weekly enforcement reports showed about one-third of the device recalls (33%) were due to computer problems of some kind, with about another two percent each from stored patient data and wireless communications. Overall, some 15 percent of the recalls were listed as software problems.
A search of the databases returned no recalls or adverse events related specifically to security or privacy issues. However, the Department of Veterans Affairs reported to the authors of 142 separate instances of malware — short for malicious software — infections affecting 207 medical devices between January 2009 and December 2011. In addition, anecdotal reports indicate malware had infected factory-installed software on other medical devices, as well as a device manufacturer’s support system.
The researchers tested FDA’s adverse event reporting mechanism itself, submitting a a software vulnerability report for an automated external defibrillator in July 2011. It took nine months, say the authors, for FDA to process make public the report. “As the time from discovery of a conventional computer security vulnerability to global exploitation of a flaw is often measured in hours,” says the paper, “a nine-month processing delay may not be an effective strategy for ensuring the security of software-based medical devices.”
The authors conclude that the current classification methods in these databases are not well suited to security problems leading to device malfunctions. The authors urge “regulators and manufacturers to carefully weigh the premarket evaluation of security and privacy elements of their devices and systems, and to design postmarket systems that enable effective collection of cybersecurity threat indicators for medical devices.”
- Scheme Protects Against Wireless Network Security Breach
- Univ. Research Leads to Mobile Transaction Security Advances
- Wireless Security Devised for Implanted Medical Devices
* * *